Splunk Search
Highlighted

What's wrong with my eval case statement?

Communicator

What is wrong with this?

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA" 
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2", "NA"
(sourcetype=”input8” OR sourcetype="input9" OR sourcetype="input10" OR sourcetype=”input11”) AND index=”foo3”, "NA", true(),"Count"))
0 Karma
Highlighted

Re: What's wrong with my eval case statement?

Communicator

Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Highlighted

Re: What's wrong with my eval case statement?

Contributor

The structure of case is

Case (condition,value if success, 1=1, value if none of the condition success)

Please try the below code,

|  makeresults 
|  eval sourcetype="input8", index="foo3"
|  eval Count=case(((sourcetype="input1" OR sourcetype="input2") AND index="foo1"), "true" ,
((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2"), "true",
((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "true",1=1,"Count")
Highlighted

Re: What's wrong with my eval case statement?

Ultra Champion

true() can be used just as well and why are you replacing his "NA" by "true"? Also, no need to put () around each entire logical expression.

Highlighted

Re: What's wrong with my eval case statement?

Legend

@ryhluc01 you are missing couple of commas with first two case conditions. You also have an extra close bracket. Finally be cautious with quotes characters UTF-8 quotes characters are only accepted in SPL. Try the following:

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA", 
    (sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
    (sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA",
    true(),"Count")



| eval message="Happy Splunking!!!"


Highlighted

Re: What's wrong with my eval case statement?

Legend

@ryhluc01 if your issue is resolved, do accept the answer to mark this question as answered.




| eval message="Happy Splunking!!!"


Highlighted

Re: What's wrong with my eval case statement?

Esteemed Legend

Like this:

index=foo 
| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA",
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
(sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA", 
true(), Count)

You were missing 2 commas, had an extra ) on the end and had microsoft/paired/handed double-quotes instead of the splunk ones. Cut and paste my answer above.

Highlighted

Re: What's wrong with my eval case statement?

Ultra Champion

That last ) is redundant 🙂

Highlighted

Re: What's wrong with my eval case statement?

Esteemed Legend

Thank you, yes.

Highlighted

Re: What's wrong with my eval case statement?

Esteemed Legend

I edited my original answer. You also were using "Count" which is a string-literal instead of Count which is a field name. I assume that you meant the latter. Also, see my other answer.