My search looks something like this:
index=name | eval request=case(X, Y, X, Y, X, Y) | stats latest(request) as Request | table Request
Whenever I run this I am getting blank output. I really need to solve getting this to run or an alternative to providing the latest event that passed the case criteria.
I have already tried doing this with nested if() statements as well instead of case, but no luck there either.
If you are correct in your redaction (a big if
; we could help better if you sent all the real SPL
), then the problem must be in the eval
. To test, add this as the last clause in your case
statement: true(), "DEBUG"
. You will see that DEBUG
is returned. Therefore, fix your case
. Also try running in verbose
mode because some versions of Splunk have bugs in other modes.
If you are correct in your redaction (a big if
; we could help better if you sent all the real SPL
), then the problem must be in the eval
. To test, add this as the last clause in your case
statement: true(), "DEBUG"
. You will see that DEBUG
is returned. Therefore, fix your case
. Also try running in verbose
mode because some versions of Splunk have bugs in other modes.
Have you verified the eval
is working as expected? When you run index=name | eval request=case(X, Y, X, Y, X, Y) | table request
do you see anything in the 'request' field?
I am getting nothing when doing that. My case is written like this more specifically:
eval response=case(name1==good AND name2==bad, "N1 good, N2 bad", ...)
I wasn't sure if using the == or = was correct, or if I could even use the AND in the parameter portion of the case function. The documentation isn't super clear and I have seen most of it used.
If you get nothing in the 'request' field then there is something wrong with the case
statement. Make sure all of the clauses are valid. You can use either =
or ==
. AND
can be used. Be sure to use a default clause at the end, something like 1==1, "oops"
.