I have a search that is | to REX then | to EVAL that is not working. I'm sure it must be a timing issue something like this
Search foo=something | REX "start(?<"name">.*)end" | EVAL NameColor=case(name=1,"red",name=2,"blue") | table _time NameColor
When I do the search without the eval i get results for "name" when I add the EVAL i get no results?
You should be using == instead of =.
foo=something | REX "start(?<"name">.*)end" | EVAL NameColor=case(name==1,"red",name==2,"blue") | table _time NameColor
The == is the proper operator for comparison according to the splunk documentation.
For a working example of what you're trying to do, use the following:
index=_internal sourcetype="splunkd" component="StatusMgr" | rex "source(?<value>.+?)=" | eval test=case(value=="Host", "This is a host", value=="Port", "This is a port") | table value test
If you're not getting results from your rex but not your eval, then the conditions of your case statement don't actually match the values being set in the rex.
Thanks emiller I tried that already. Thanks for contributing.
You might want to try this: foo=something | rex "start(?<name>.*)end" | eval NameColor = case(name=1,"red",name=2,"blue")| table _time NameColor
You don't need the quotes in the rex for the field "name". If that doesn't work, kindly post some example data to better help with regex.
In that case, do what emiller42 said. 😄
Thanks for the responce I only put the " " in to make name sow in the window. I don't use the "" in the code like you sugested