Solved: Help in using CASE Statement

Noob_splunker · ‎07-04-2020

Hi there,

I want to group the filter into Full Outage or Partial Outage.

filter	impact
3G Outage	Full Outage
Cell Blocked
Power Outage
Power Outage	Partial Outage
Cell Blocked

Here is my query:

| eval impact=case(
searchmatch("Cell Blocked"),"Partial Outage",
searchmatch("3G Outage"),"Full Outage",1=1,"No service impact")

Result:

The correct impact should be Full Outage. Can anyone help me out?

Thanks,

to4kawa · ‎07-04-2020

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

View solution in original post

to4kawa · ‎07-04-2020

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

Noob_splunker · ‎07-04-2020

@to4kawaawesome!

| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

this works fine for me! Thanks!

Help in using CASE Statement

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation