Solved: How to create a case statement with NOT LIKE optio...

zacksoft · ‎05-22-2018

| eval usage=case(like(_raw,"%FirstClass%"),"A_Grade",like(_raw,"%SecondClass%"),"B_Grade",like(_raw,"%ThirdClass%"),"C_Grade")

My question is, in the above statement when I draw a pie chart that gives me A, B, C_Grade. However I want to know all the failed student in the chart as well.
My _raw contains all the events i.e. all three grades and the failed student as well.
The logic to find that is, "If the _raw doesn't contain the string 'FirstClass' or 'SecondClass' or 'ThirdClass' , then whatever remaining in _raw is considered as 'Failed'. How do I implement this logic using case?

niketn · ‎05-22-2018

@zacksoft, you can use searchmatch() to find pattern in raw events (ideally you should create field extractions).
As per the question you have case() conditions to match A, B and C grades and everything else is supposed to be considered as Failed. So, you can use true() or 1==1 condition in the case() statement to defined unmatched events as Failed. Please try the following run anywhere search and confirm:

| makeresults 
| eval data="FirstClass;SecondClass;ThirdClass;Others"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| eval usage=case(searchmatch("FirstClass"),"A_Grade",searchmatch("SecondClass"),"B_Grade",searchmatch("ThirdClass"),"C_Grade",true(),"Failed")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-22-2018

@zacksoft, you can use searchmatch() to find pattern in raw events (ideally you should create field extractions).
As per the question you have case() conditions to match A, B and C grades and everything else is supposed to be considered as Failed. So, you can use true() or 1==1 condition in the case() statement to defined unmatched events as Failed. Please try the following run anywhere search and confirm:

| makeresults 
| eval data="FirstClass;SecondClass;ThirdClass;Others"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| eval usage=case(searchmatch("FirstClass"),"A_Grade",searchmatch("SecondClass"),"B_Grade",searchmatch("ThirdClass"),"C_Grade",true(),"Failed")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

zacksoft · ‎05-22-2018

Absolutely brilliant. Thank you very much. The solution you provided does exactly what I wanted.

niketn · ‎05-22-2018

@zacksoft, glad it worked 🙂 Accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

xpac · ‎05-22-2018

Use this:

| eval usage=case(like(_raw,"%FirstClass%"),"A_Grade",like(_raw,"%SecondClass%"),"B_Grade",like(_raw,"%ThirdClass%"),"C_Grade", true(), "failed")

Case will take the first statement that is true, so the true() will be the last-case-fallback and return "failed" for all that did not meet any other criteria before.

zacksoft · ‎05-22-2018

Thanks @xpac.
But it only returns me the events that are "failed". It won't return me A_Grade, B_Grade, C_Grade data !

xpac · ‎05-22-2018

If that's the case, it's an issue with the rest of your query. Eval never filters anything out.

FrankVl · ‎05-22-2018

That approach to put a true(),"failed" option at the end of the case statement is perfectly valid though. Can you post the exact code you tested with? Please post it as code (using the 101010 button).

How to create a case statement with NOT LIKE option?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...