How can I case eval this so that:
if Logon_VM is 202-VM-MS, then MICROSOFT
OR
if Logon_VM is 202-VM-BOB, then BOB'S WAFFLES
ELSE
all the rest will be TEST COMPANY.
This all works up until else the rest are TEST COMPANY.
eval Company = case(Logon_VM == "202-VM-MS","MICROSOFT",Logon_VM == "202-VM-BOB","BOB'S WAFFLES",Logon_VM == "B0-202-VM-*","TEST COMPANY")
I found the answer here, just add any true statement like 1=1, "TEST COMPANY" in the eval statement.
So: eval Company = case(Logon_VM == "202-VM-MS","MICROSOFT",Logon_VM == "202-VM-BOB","BOB'S WAFFLES",1=1,"TEST COMPANY")
Case uses an if x, then y pattern, and will default to "NULL" if there is no match. You can change the default value by making the last pairing default to true.
Try this:
eval Company = case(Logon_VM == "202-VM-MS","MICROSOFT",Logon_VM == "202-VM-BOB","BOB'S WAFFLES", 1=1,"TEST COMPANY")
Thanks for this last example. This is what I was looking for in a separate search.
1) splunk provides a True() function, which you should use in place of the 1=1.
2) I believe that should be 1==1.
I found the answer here, just add any true statement like 1=1, "TEST COMPANY" in the eval statement.
So: eval Company = case(Logon_VM == "202-VM-MS","MICROSOFT",Logon_VM == "202-VM-BOB","BOB'S WAFFLES",1=1,"TEST COMPANY")
Found it from Ayn on https://answers.splunk.com/answers/26522/if-statment-or-nested-if.html
1) splunk provides a True() function, which you should use in place of the 1=1.
2) I believe that should be 1==1.