Solved: Re: Why is my search with an eval case condition r... - Splunk Community

Splunk Search

Hi All,

When I execute the search below, it works fine:

 index="X" sourcetype="xx" "applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--")

But when integrated with Case condition it fails with error: Error in 'eval' command: The expression is malformed. Expected ).

index="X" sourcetype="xx" "applicationCode: 123"  responseCode=* | eval response_cd=case("applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--" ,"AAA") | timechart count by response_cd usenull=f useother=f

Can some help me please!!!

1 Solution

Solution

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

View solution in original post

Try starting out with this:

... | eval response_cd=case(_raw="*applicationCode: 123*", "AAA",
                            _raw="*applicationCode: XXX"*, "BBB"
                                                   true(), "UNK")
| stats count by response_cd

The Search doesn't work even if it contains the data applicationCode: 123 it never displays

but if I removed case and tried search _raw="applicationCode: 123" I get the data. It's weird.

Solution

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

HUhu it worked with few changes

case(match(_raw,"applicationCode: 123"),"AAA",1=1,"UNK")

I tried the below it didn't worked

| eval response_cd=case(_raw="*applicationCode: 123*"  ,"AAA", 1==1, "BBB")

I removed from case and tried it is getting data

_raw="*applicationCode: 123*"

is it that _raw doesn't work for case?

_raw contains the whole string, need to have *(any character) in the beginning and the end

Yes I tried with start at the beginning and end. It didn't worked

_raw="*applicationCode: 123*"

I'm confused as to what you're trying to accomplish. What would you expect to end up in the repsonse_cd field after the eval?

To back up a moment, the case statement is used to test multiple conditions and return the value corresponding to the first matching condition. So

eval field = case (condition1,value1, condition2, value2, ..., conditionN, valueN)

For example, if you had a field for operating system called os_ver that contained windows version numbers you might use this to get a corresponding name:

eval os_name = case(os_ver="5.1","xp",os_ver="5.2","2003",os_ver="6.0","Vista",1=1,"unknown")

So what condition are you actually testing and what do you want the result to be?

I have multiple conditions and value to start with. For testing purpose I have added only one condition

eval response_cd=case(_raw="applicationCode: 123","AAA",_raw="applicationCode: XXX", "BBB") | search response_cd=AAA

Things are working fine if I put directly _raw="applicationCode: 123" in search but when I am trying with if or case condition the data never pops up even if exists.

I see in my records something like | eval cat=case(host == "aaaa", "customer", host == "bbbb", "customer").

Can you please give this syntax a try?

That is not delimited with colon so splunk takes enter string as applicationCode: 123.

I tried that earlier no luck.

Oh sorry, let me please check more ; -)

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...