Solved: Re: Help in using CASE Statement

Noob_splunker · ‎07-04-2020

Hi there,

I want to group the filter into Full Outage or Partial Outage.

filter	impact
3G Outage	Full Outage
Cell Blocked
Power Outage
Power Outage	Partial Outage
Cell Blocked

Here is my query:

| eval impact=case(
searchmatch("Cell Blocked"),"Partial Outage",
searchmatch("3G Outage"),"Full Outage",1=1,"No service impact")

Result:

The correct impact should be Full Outage. Can anyone help me out?

Thanks,

to4kawa · ‎07-04-2020

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

View solution in original post

to4kawa · ‎07-04-2020

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

Noob_splunker · ‎07-04-2020

@to4kawaawesome!

| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

this works fine for me! Thanks!

Help in using CASE Statement

field extraction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?