Splunk Search

Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

Hi All,

When I execute the search below, it works fine:

 index="X" sourcetype="xx" "applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--")

But when integrated with Case condition it fails with error: Error in 'eval' command: The expression is malformed. Expected ).

index="X" sourcetype="xx" "applicationCode: 123"  responseCode=* | eval response_cd=case("applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--" ,"AAA") | timechart count by response_cd usenull=f useother=f

Can some help me please!!!

0 Karma
1 Solution

Path Finder

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

View solution in original post

0 Karma

Esteemed Legend

Try starting out with this:

... | eval response_cd=case(_raw="*applicationCode: 123*", "AAA",
                            _raw="*applicationCode: XXX"*, "BBB"
                                                   true(), "UNK")
| stats count by response_cd
0 Karma

The Search doesn't work even if it contains the data applicationCode: 123 it never displays

but if I removed case and tried search _raw="applicationCode: 123" I get the data. It's weird.

0 Karma

Path Finder

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

View solution in original post

0 Karma

HUhu it worked with few changes

case(match(_raw,"applicationCode: 123"),"AAA",1=1,"UNK")

I tried the below it didn't worked

| eval response_cd=case(_raw="*applicationCode: 123*"  ,"AAA", 1==1, "BBB")

I removed from case and tried it is getting data

_raw="*applicationCode: 123*"

is it that _raw doesn't work for case?

0 Karma

Path Finder

_raw contains the whole string, need to have *(any character) in the beginning and the end

0 Karma

Yes I tried with start at the beginning and end. It didn't worked

_raw="*applicationCode: 123*"
0 Karma

Champion

I'm confused as to what you're trying to accomplish. What would you expect to end up in the repsonse_cd field after the eval?

To back up a moment, the case statement is used to test multiple conditions and return the value corresponding to the first matching condition. So

eval field = case (condition1,value1, condition2, value2, ..., conditionN, valueN)

For example, if you had a field for operating system called os_ver that contained windows version numbers you might use this to get a corresponding name:

eval os_name = case(os_ver="5.1","xp",os_ver="5.2","2003",os_ver="6.0","Vista",1=1,"unknown")

So what condition are you actually testing and what do you want the result to be?

0 Karma

I have multiple conditions and value to start with. For testing purpose I have added only one condition

eval responsecd=case(raw="applicationCode: 123","AAA",raw="applicationCode: XXX", "BBB") | search responsecd=AAA

Things are working fine if I put directly _raw="applicationCode: 123" in search but when I am trying with if or case condition the data never pops up even if exists.

0 Karma

Ultra Champion

I see in my records something like | eval cat=case(host == "aaaa", "customer", host == "bbbb", "customer").

Can you please give this syntax a try?

0 Karma

That is not delimited with colon so splunk takes enter string as applicationCode: 123.

I tried that earlier no luck.

0 Karma

Ultra Champion

Oh sorry, let me please check more ; -)

0 Karma