Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my eval case statements to get expected results based on multiple conditions and multiple fields?

evan_roggenkamp
Path Finder
‎04-27-2016 12:22 PM

I am trying to build a search where I can return a status_code based on the conditions of two fields:

<search> 
|eval severity_level=case(severity==0, "indeterminate", severity==1, "Critical", severity==2, "Major", severity==3, "Minor", severity==4, "Warning", severity==5, "Cleared") 
|stats count as Total
|eval status_code = case(Total>=1 AND severity_level==Critical, "105", Total>=1 AND severity_level==Major, "104", Total>=1 AND severity_level==Minor, "103", Total==0, "100")
|table status_code

This seems to work if the Total of the search was 0, upon which the status_code will be returned as 100.

The other status codes will not work even if the conditions are met.

This works:

<search>
|stats count as Total
|eval status_code=case(Total==0, "100",Total==1, "105")
|table status_code

What am I missing?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-27-2016 12:35 PM

You're missing the severity_level field in your eval status... statement. The only field available at that point in your search pipeline is the Total field. To get the severity_level, you need it to the stats command in the preview segment. Something like this perhaps ... | stats count as Total latest(severity_level) as severity_level | eval status_code .... This will give you the latest severity_level

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-27-2016 12:35 PM

You're missing the severity_level field in your eval status... statement. The only field available at that point in your search pipeline is the Total field. To get the severity_level, you need it to the stats command in the preview segment. Something like this perhaps ... | stats count as Total latest(severity_level) as severity_level | eval status_code .... This will give you the latest severity_level

Reply
Solved! Jump to solution

evan_roggenkamp
Path Finder
‎04-27-2016 12:43 PM

This is what I was missing, thanks.

I also found that I had to enclose the values of severity_level in the case statement:

|eval status_code = case(Total>=1 AND severity_level=="Critical", "105", Total>=1 AND severity_level=="Major", "104", Total>=1 AND severity_level=="Minor", "103", Total==0, "100")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

 Take Your Network Visibility to the Next LevelIn today’s complex IT environments, performance issues can stem ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...