Solved: Re: Why is my search with an eval case condition r... - Splunk Community

Splunk Search

Hi All,

When I execute the search below, it works fine:

 index="X" sourcetype="xx" "applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--")

But when integrated with Case condition it fails with error: Error in 'eval' command: The expression is malformed. Expected ).

index="X" sourcetype="xx" "applicationCode: 123"  responseCode=* | eval response_cd=case("applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--" ,"AAA") | timechart count by response_cd usenull=f useother=f

Can some help me please!!!

1 Solution

Solution

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

View solution in original post

Try starting out with this:

... | eval response_cd=case(_raw="*applicationCode: 123*", "AAA",
                            _raw="*applicationCode: XXX"*, "BBB"
                                                   true(), "UNK")
| stats count by response_cd

The Search doesn't work even if it contains the data applicationCode: 123 it never displays

but if I removed case and tried search _raw="applicationCode: 123" I get the data. It's weird.

Solution

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

HUhu it worked with few changes

case(match(_raw,"applicationCode: 123"),"AAA",1=1,"UNK")

I tried the below it didn't worked

| eval response_cd=case(_raw="*applicationCode: 123*"  ,"AAA", 1==1, "BBB")

I removed from case and tried it is getting data

_raw="*applicationCode: 123*"

is it that _raw doesn't work for case?

_raw contains the whole string, need to have *(any character) in the beginning and the end

Yes I tried with start at the beginning and end. It didn't worked

_raw="*applicationCode: 123*"

I'm confused as to what you're trying to accomplish. What would you expect to end up in the repsonse_cd field after the eval?

To back up a moment, the case statement is used to test multiple conditions and return the value corresponding to the first matching condition. So

eval field = case (condition1,value1, condition2, value2, ..., conditionN, valueN)

For example, if you had a field for operating system called os_ver that contained windows version numbers you might use this to get a corresponding name:

eval os_name = case(os_ver="5.1","xp",os_ver="5.2","2003",os_ver="6.0","Vista",1=1,"unknown")

So what condition are you actually testing and what do you want the result to be?

I have multiple conditions and value to start with. For testing purpose I have added only one condition

eval response_cd=case(_raw="applicationCode: 123","AAA",_raw="applicationCode: XXX", "BBB") | search response_cd=AAA

Things are working fine if I put directly _raw="applicationCode: 123" in search but when I am trying with if or case condition the data never pops up even if exists.

I see in my records something like | eval cat=case(host == "aaaa", "customer", host == "bbbb", "customer").

Can you please give this syntax a try?

That is not delimited with colon so splunk takes enter string as applicationCode: 123.

I tried that earlier no luck.

Oh sorry, let me please check more ; -)

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...