Splunk Search

How to edit my case statement to work when added as a calculated field?

k_harini
Communicator

The below EVAL function is working as search command, but not working when added as calculated field

myindex |EVAL trans_type=case('Trans Type' like "Ser Req%","Service Request",'Trans Type' like "PROBLEM%","Problem",1=1,"Incident") | table trans_type

What change should i do? Please help

0 Karma
1 Solution

k_harini
Communicator

Thanks all for your response. Same EVAL statement worked as calculated field. During Field aliasing i did not use proper field name and hence the issue. Its resolved now.

View solution in original post

0 Karma

k_harini
Communicator

Thanks all for your response. Same EVAL statement worked as calculated field. During Field aliasing i did not use proper field name and hence the issue. Its resolved now.

0 Karma

niketn
Legend

Was the field alias for TransType?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

k_harini
Communicator

trans_type was not the field name from source.. Hence it dint work.. when i just used the same field name from source it worked..

0 Karma

niketn
Legend

Provided EVAL is lower case in the search string above search should work. Neverthless, Calculated Field will not have eval keyword anyways.

Since case statement seems to be correct for Calculated Field, following are the things you need to validate again:

1) Calculated field is applied on correct app and sourcetype.
2) Calculated field has correct permissions.
3) Since 'Trans Type' field on which eval seems to have a space, I am skeptical whther it is extracted prior to application of Calculated Field or not. Due to search type operations sequence, Calculated fields can not be applied on
a) Lookups
b) Event Types
c) Tags

Refer to following Splunk documentations on Calculated Fields and Search Time operation sequence:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/definecalcfields
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

k_harini
Communicator

its other way round.. its working in search.. not as calculated field.

0 Karma

niketn
Legend

Yes that is what I mentioned. Calculated Field should be working fine as per the case statement you have provided. Since it is not working for you please ensure that conditions in bold are met. Like Trans Type field should not be a part of Lookup table etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi k_harini,

I don't think you can use case in conjunction with like.
Please try either this:

myindex |EVAL trans_type=case('Trans Type' == "Ser Req","Service Request",'Trans Type' == "PROBLEM","Problem",1==1,"Incident") | table trans_type

or something like this:

myindex |EVAL trans_type=if( like (Trans Type, "Ser Req%"), "Service Request", "PROBLEM")

For detailed information about the Case and Like functions, please see: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions

Hope it helps. Thanks!
Hunter

0 Karma

k_harini
Communicator

Thanks for your response. My query worked and the one that you have mentioned is also working in search.

Both are not working when added as calculated fields.
something like this
EVAL-transtype = case('Trans Type' == "Ser Req","Service Request",'Trans Type' == "PROBLEM","Problem",1==1,"Incident") in my props.conf file.

Any idea why?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...