Solved: Help in using CASE Statement

Noob_splunker · ‎07-04-2020

Hi there,

I want to group the filter into Full Outage or Partial Outage.

filter	impact
3G Outage	Full Outage
Cell Blocked
Power Outage
Power Outage	Partial Outage
Cell Blocked

Here is my query:

| eval impact=case(
searchmatch("Cell Blocked"),"Partial Outage",
searchmatch("3G Outage"),"Full Outage",1=1,"No service impact")

Result:

The correct impact should be Full Outage. Can anyone help me out?

Thanks,

to4kawa · ‎07-04-2020

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

View solution in original post

to4kawa · ‎07-04-2020

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

Noob_splunker · ‎07-04-2020

@to4kawaawesome!

| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

this works fine for me! Thanks!

Help in using CASE Statement

field extraction

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023