Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the limit on the number of branches in a single CASE statement in Splunk, and how can I optimize my current eval case statement?

magorinahory
New Member
‎11-19-2015 08:16 AM

Hello,

I have defined api_names and calculating counts and sigma limits for alert based on uri stem.
Example uri stem: /api/v1/customer/details/customernumber/12345
I can't use regex here (or I am not that skilled). I've created this:

| eval cs_uri_stem=lower(cs_uri_stem)
| rex field=cs_uri_stem "/api/v\d/(?<api_name>\w+[a-z-]\w+).*"

However, it will parse out api name only till the first slash /, so I'll match customer. However, I do not match customer/details/customernumber as they follow between additional slashes.
Due to this limitation, I've created big case statement with 122 x 2 branches.

| eval api_name = case(
like(cs_uri_stem,"/api/v%/customers/%"),"customers",    like(cs_uri_stem,"/api/v%/customers%"),"customers",
like(cs_uri_stem,"/api/v%/customer-groups/%"),"customer-groups",    like(cs_uri_stem,"/api/v%/customer-groups%"),"customer-groups",
like(cs_uri_stem,"/api/v%/customer-bases/%"),"customer-bases",  like(cs_uri_stem,"/api/v%/customer-bases%"),"customer-bases",
like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list/%"),"customer/shippingaddresses/list",    like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list%"),"customer/shippingaddresses/list",
like(cs_uri_stem,"/api/v%/customer/search/%"),"customer/search",    like(cs_uri_stem,"/api/v%/customer/search%"),"customer/search",
like(cs_uri_stem,"/api/v%/customer/details/customernumber/%"),"customer/details/customernumber",    like(cs_uri_stem,"/api/v%/customer/details/customernumber%"),"customer/details/customernumber",
like(cs_uri_stem,"/api/v%/customer/%"),"customer",  like(cs_uri_stem,"/api/v%/customer%"),"customer",
1=1,"OTHER")

Now questions:

1. What is the SPLUNK limitation on the number of branches in a single CASE statement?
2. What is impact of running such big case statement?
3. I assume that SPLUNK case statement is working in same manner as in SQL, so I've organized patterns in descending order to match first customer/details/customernumber and customer only on the rest. Am I correct?
4. Is there any opportunity to optimize this case statement?
5. Is there any alternative? (already thinking about leveraging rex and do it in multiple levels like customer = api_name_L1, details = api_name_L2, customernumnber = api_name_L3

I'll appreciate any help/comments here.

Thank you!
m.

Tags (5)
0 Karma
Reply

sundareshr
Legend
‎11-19-2015 05:11 PM

Try this regex to extract path till last slash. This might eliminate the need to have a complex case statement. 

v\d+(?<path>[\w\/]+)\/
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...