Splunk Search

Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy
Explorer

Hi All,

When I execute the search below, it works fine:

 index="X" sourcetype="xx" "applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--")

But when integrated with Case condition it fails with error: Error in 'eval' command: The expression is malformed. Expected ).

index="X" sourcetype="xx" "applicationCode: 123"  responseCode=* | eval response_cd=case("applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--" ,"AAA") | timechart count by response_cd usenull=f useother=f

Can some help me please!!!

0 Karma
1 Solution

chanmi2
Path Finder

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try starting out with this:

... | eval response_cd=case(_raw="*applicationCode: 123*", "AAA",
                            _raw="*applicationCode: XXX"*, "BBB"
                                                   true(), "UNK")
| stats count by response_cd
0 Karma

saradachelluboy
Explorer

The Search doesn't work even if it contains the data applicationCode: 123 it never displays

but if I removed case and tried search _raw="applicationCode: 123" I get the data. It's weird.

0 Karma

chanmi2
Path Finder

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")
0 Karma

saradachelluboy
Explorer

HUhu it worked with few changes

case(match(_raw,"applicationCode: 123"),"AAA",1=1,"UNK")

saradachelluboy
Explorer

I tried the below it didn't worked

| eval response_cd=case(_raw="*applicationCode: 123*"  ,"AAA", 1==1, "BBB")

I removed from case and tried it is getting data

_raw="*applicationCode: 123*"

is it that _raw doesn't work for case?

0 Karma

chanmi2
Path Finder

_raw contains the whole string, need to have *(any character) in the beginning and the end

0 Karma

saradachelluboy
Explorer

Yes I tried with start at the beginning and end. It didn't worked

_raw="*applicationCode: 123*"
0 Karma

maciep
Champion

I'm confused as to what you're trying to accomplish. What would you expect to end up in the repsonse_cd field after the eval?

To back up a moment, the case statement is used to test multiple conditions and return the value corresponding to the first matching condition. So

eval field = case (condition1,value1, condition2, value2, ..., conditionN, valueN)

For example, if you had a field for operating system called os_ver that contained windows version numbers you might use this to get a corresponding name:

eval os_name = case(os_ver="5.1","xp",os_ver="5.2","2003",os_ver="6.0","Vista",1=1,"unknown")

So what condition are you actually testing and what do you want the result to be?

0 Karma

saradachelluboy
Explorer

I have multiple conditions and value to start with. For testing purpose I have added only one condition

eval response_cd=case(_raw="applicationCode: 123","AAA",_raw="applicationCode: XXX", "BBB") | search response_cd=AAA

Things are working fine if I put directly _raw="applicationCode: 123" in search but when I am trying with if or case condition the data never pops up even if exists.

0 Karma

ddrillic
Ultra Champion

I see in my records something like | eval cat=case(host == "aaaa", "customer", host == "bbbb", "customer").

Can you please give this syntax a try?

0 Karma

saradachelluboy
Explorer

That is not delimited with colon so splunk takes enter string as applicationCode: 123.

I tried that earlier no luck.

0 Karma

ddrillic
Ultra Champion

Oh sorry, let me please check more ; -)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...