Splunk Search

How to edit my eval case statements to get expected results based on multiple conditions and multiple fields?

evan_roggenkamp
Path Finder

I am trying to build a search where I can return a status_code based on the conditions of two fields:

<search> 
|eval severity_level=case(severity==0, "indeterminate", severity==1, "Critical", severity==2, "Major", severity==3, "Minor", severity==4, "Warning", severity==5, "Cleared") 
|stats count as Total
|eval status_code = case(Total>=1 AND severity_level==Critical, "105", Total>=1 AND severity_level==Major, "104", Total>=1 AND severity_level==Minor, "103", Total==0, "100")
|table status_code

This seems to work if the Total of the search was 0, upon which the status_code will be returned as 100.

The other status codes will not work even if the conditions are met.

This works:

<search>
|stats count as Total
|eval status_code=case(Total==0, "100",Total==1, "105")
|table status_code

What am I missing?

Tags (3)
0 Karma
1 Solution

sundareshr
Legend

You're missing the severity_level field in your eval status... statement. The only field available at that point in your search pipeline is the Total field. To get the severity_level, you need it to the stats command in the preview segment. Something like this perhaps ... | stats count as Total latest(severity_level) as severity_level | eval status_code .... This will give you the latest severity_level

View solution in original post

sundareshr
Legend

You're missing the severity_level field in your eval status... statement. The only field available at that point in your search pipeline is the Total field. To get the severity_level, you need it to the stats command in the preview segment. Something like this perhaps ... | stats count as Total latest(severity_level) as severity_level | eval status_code .... This will give you the latest severity_level

evan_roggenkamp
Path Finder

This is what I was missing, thanks.

I also found that I had to enclose the values of severity_level in the case statement:

|eval status_code = case(Total>=1 AND severity_level=="Critical", "105", Total>=1 AND severity_level=="Major", "104", Total>=1 AND severity_level=="Minor", "103", Total==0, "100")
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...