The below EVAL function is working as search command, but not working when added as calculated field
myindex |EVAL trans_type=case('Trans Type' like "Ser Req%","Service Request",'Trans Type' like "PROBLEM%","Problem",1=1,"Incident") | table trans_type
What change should i do? Please help
Thanks all for your response. Same EVAL statement worked as calculated field. During Field aliasing i did not use proper field name and hence the issue. Its resolved now.
Thanks all for your response. Same EVAL statement worked as calculated field. During Field aliasing i did not use proper field name and hence the issue. Its resolved now.
Was the field alias for TransType?
trans_type was not the field name from source.. Hence it dint work.. when i just used the same field name from source it worked..
Provided EVAL is lower case in the search string above search should work. Neverthless, Calculated Field will not have eval keyword anyways.
Since case statement seems to be correct for Calculated Field, following are the things you need to validate again:
1) Calculated field is applied on correct app and sourcetype.
2) Calculated field has correct permissions.
3) Since 'Trans Type' field on which eval seems to have a space, I am skeptical whther it is extracted prior to application of Calculated Field or not. Due to search type operations sequence, Calculated fields can not be applied on
a) Lookups
b) Event Types
c) Tags
Refer to following Splunk documentations on Calculated Fields and Search Time operation sequence:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/definecalcfields
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence
its other way round.. its working in search.. not as calculated field.
Yes that is what I mentioned. Calculated Field should be working fine as per the case statement you have provided. Since it is not working for you please ensure that conditions in bold are met. Like Trans Type field should not be a part of Lookup table etc.
Hi k_harini,
I don't think you can use case in conjunction with like.
Please try either this:
myindex |EVAL trans_type=case('Trans Type' == "Ser Req","Service Request",'Trans Type' == "PROBLEM","Problem",1==1,"Incident") | table trans_type
or something like this:
myindex |EVAL trans_type=if( like (Trans Type, "Ser Req%"), "Service Request", "PROBLEM")
For detailed information about the Case and Like functions, please see: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions
Hope it helps. Thanks!
Hunter
Thanks for your response. My query worked and the one that you have mentioned is also working in search.
Both are not working when added as calculated fields.
something like this
EVAL-transtype = case('Trans Type' == "Ser Req","Service Request",'Trans Type' == "PROBLEM","Problem",1==1,"Incident") in my props.conf file.
Any idea why?