Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help in using CASE Statement

Noob_splunker
Explorer
‎07-04-2020 01:57 PM

Hi there,

I want to group the filter into Full Outage or Partial Outage.

filter impact

3G Outage

Full Outage

Cell Blocked

Power Outage

Power OutagePartial Outage

Cell Blocked

 

Here is my query:

| eval impact=case(
searchmatch("Cell Blocked"),"Partial Outage",
searchmatch("3G Outage"),"Full Outage",1=1,"No service impact")

 

Result:

 

result.PNG

 

The correct impact should be Full Outage. Can anyone help me out?

 

Thanks,

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-04-2020 03:42 PM

 

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

 

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-04-2020 03:42 PM

 

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

 

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

Reply
Solved! Jump to solution

Noob_splunker
Explorer
‎07-04-2020 03:57 PM

@to4kawaawesome!

 

| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

this works fine for me! Thanks!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...