Splunk Search

What's wrong with my eval case statement?

ryhluc01
Communicator

What is wrong with this?

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA" 
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2", "NA"
(sourcetype=”input8” OR sourcetype="input9" OR sourcetype="input10" OR sourcetype=”input11”) AND index=”foo3”, "NA", true(),"Count"))
0 Karma
1 Solution

woodcock
Esteemed Legend

Now that we have fixed the syntax errors, I think this would be better being replaced with this instead:

 index=foo 
 | eval Count=if(((sourcetype="input1" OR sourcetype="input2") AND index="foo1")
     OR ((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2")
     OR ((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "NA", Count)

View solution in original post

ryhluc01
Communicator

Thanks Everyone!

0 Karma

woodcock
Esteemed Legend

Now that we have fixed the syntax errors, I think this would be better being replaced with this instead:

 index=foo 
 | eval Count=if(((sourcetype="input1" OR sourcetype="input2") AND index="foo1")
     OR ((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2")
     OR ((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "NA", Count)

View solution in original post

ryhluc01
Communicator

I'll give this a shot...one moment.

0 Karma

ryhluc01
Communicator

Hey Everyone,

So the corrections from @niketnilay & @woodcock were perfect.

Is there anyway to keep my original values for everything else that does not meet the case conditions? That is what I was trying to achieve with the count @ the end of the syntax.

0 Karma

woodcock
Esteemed Legend

Somebody mistook me (@woodcock) for @somesoni2! 😆

0 Karma

ryhluc01
Communicator

@woodcock Thank you and you're right! How did I do that 😄
Its fixed. I think I just comb through so many forum posts a day lol.

0 Karma

woodcock
Esteemed Legend

Like this:

index=foo 
| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA",
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
(sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA", 
true(), Count)

You were missing 2 commas, had an extra ) on the end and had microsoft/paired/handed double-quotes instead of the splunk ones. Cut and paste my answer above.

woodcock
Esteemed Legend

I edited my original answer. You also were using "Count" which is a string-literal instead of Count which is a field name. I assume that you meant the latter. Also, see my other answer.

FrankVl
Ultra Champion

That last ) is redundant 🙂

woodcock
Esteemed Legend

Thank you, yes.

niketnilay
Legend

@ryhluc01 you are missing couple of commas with first two case conditions. You also have an extra close bracket. Finally be cautious with quotes characters UTF-8 quotes characters are only accepted in SPL. Try the following:

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA", 
    (sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
    (sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA",
    true(),"Count")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketnilay
Legend

@ryhluc01 if your issue is resolved, do accept the answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sdchakraborty
Contributor

The structure of case is

Case (condition,value if success, 1=1, value if none of the condition success)

Please try the below code,

|  makeresults 
|  eval sourcetype="input8", index="foo3"
|  eval Count=case(((sourcetype="input1" OR sourcetype="input2") AND index="foo1"), "true" ,
((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2"), "true",
((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "true",1=1,"Count")

FrankVl
Ultra Champion

true() can be used just as well and why are you replacing his "NA" by "true"? Also, no need to put () around each entire logical expression.

ryhluc01
Communicator

Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!