Splunk Search

How to search for latest case output

rlippincott
Explorer

My search looks something like this:

index=name | eval request=case(X, Y, X, Y, X, Y) | stats latest(request) as Request | table Request

Whenever I run this I am getting blank output. I really need to solve getting this to run or an alternative to providing the latest event that passed the case criteria.

I have already tried doing this with nested if() statements as well instead of case, but no luck there either.

0 Karma
1 Solution

woodcock
Esteemed Legend

If you are correct in your redaction (a big if; we could help better if you sent all the real SPL), then the problem must be in the eval. To test, add this as the last clause in your case statement: true(), "DEBUG". You will see that DEBUG is returned. Therefore, fix your case. Also try running in verbose mode because some versions of Splunk have bugs in other modes.

View solution in original post

woodcock
Esteemed Legend

If you are correct in your redaction (a big if; we could help better if you sent all the real SPL), then the problem must be in the eval. To test, add this as the last clause in your case statement: true(), "DEBUG". You will see that DEBUG is returned. Therefore, fix your case. Also try running in verbose mode because some versions of Splunk have bugs in other modes.

richgalloway
SplunkTrust
SplunkTrust

Have you verified the eval is working as expected? When you run index=name | eval request=case(X, Y, X, Y, X, Y) | table requestdo you see anything in the 'request' field?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

rlippincott
Explorer

I am getting nothing when doing that. My case is written like this more specifically:
eval response=case(name1==good AND name2==bad, "N1 good, N2 bad", ...)
I wasn't sure if using the == or = was correct, or if I could even use the AND in the parameter portion of the case function. The documentation isn't super clear and I have seen most of it used.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you get nothing in the 'request' field then there is something wrong with the case statement. Make sure all of the clauses are valid. You can use either = or ==. AND can be used. Be sure to use a default clause at the end, something like 1==1, "oops".

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...