Solved: Re: What's wrong with my eval case statement?

ryhluc01 · ‎03-06-2019

What is wrong with this?

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA" 
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2", "NA"
(sourcetype=”input8” OR sourcetype="input9" OR sourcetype="input10" OR sourcetype=”input11”) AND index=”foo3”, "NA", true(),"Count"))

woodcock · ‎03-07-2019

Now that we have fixed the syntax errors, I think this would be better being replaced with this instead:

 index=foo 
 | eval Count=if(((sourcetype="input1" OR sourcetype="input2") AND index="foo1")
     OR ((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2")
     OR ((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "NA", Count)

View solution in original post

ryhluc01 · ‎03-07-2019

Thanks Everyone!

woodcock · ‎03-07-2019

Now that we have fixed the syntax errors, I think this would be better being replaced with this instead:

 index=foo 
 | eval Count=if(((sourcetype="input1" OR sourcetype="input2") AND index="foo1")
     OR ((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2")
     OR ((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "NA", Count)

ryhluc01 · ‎03-07-2019

I'll give this a shot...one moment.

ryhluc01 · ‎03-07-2019

Hey Everyone,

So the corrections from @niketnilay & @woodcock were perfect.

Is there anyway to keep my original values for everything else that does not meet the case conditions? That is what I was trying to achieve with the count @ the end of the syntax.

woodcock · ‎03-07-2019

Somebody mistook me (@woodcock) for @somesoni2! 😆

ryhluc01 · ‎03-07-2019

@woodcock Thank you and you're right! How did I do that 😄
Its fixed. I think I just comb through so many forum posts a day lol.

woodcock · ‎03-07-2019

Like this:

index=foo 
| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA",
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
(sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA", 
true(), Count)

You were missing 2 commas, had an extra ) on the end and had microsoft/paired/handed double-quotes instead of the splunk ones. Cut and paste my answer above.

woodcock · ‎03-07-2019

I edited my original answer. You also were using "Count" which is a string-literal instead of Count which is a field name. I assume that you meant the latter. Also, see my other answer.

FrankVl · ‎03-07-2019

That last ) is redundant 🙂

woodcock · ‎03-07-2019

Thank you, yes.

niketn · ‎03-07-2019

@ryhluc01 you are missing couple of commas with first two case conditions. You also have an extra close bracket. Finally be cautious with quotes characters UTF-8 quotes characters are only accepted in SPL. Try the following:

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA", 
    (sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
    (sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA",
    true(),"Count")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎03-07-2019

@ryhluc01 if your issue is resolved, do accept the answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sdchakraborty · ‎03-06-2019

The structure of case is

Case (condition,value if success, 1=1, value if none of the condition success)

Please try the below code,

|  makeresults 
|  eval sourcetype="input8", index="foo3"
|  eval Count=case(((sourcetype="input1" OR sourcetype="input2") AND index="foo1"), "true" ,
((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2"), "true",
((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "true",1=1,"Count")

FrankVl · ‎03-07-2019

true() can be used just as well and why are you replacing his "NA" by "true"? Also, no need to put () around each entire logical expression.

ryhluc01 · ‎03-06-2019

Error in 'eval' command: The expression is malformed. Expected ).

What's wrong with my eval case statement?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?