Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can we use field name for comparison in case statement?

shivi_tcs
Engager
‎08-10-2017 01:16 AM

Hi Splunkers!

I am try to evaluate few things by using query below-

index=* sourcetype=* | stats values(OPEN_INT) as int by
OPTION_TYP STRIKE_PR | appendcols [|search index=* sourcetype=*
OPTION_TYP=XX | eval a1=CLOSE-(CLOSE*75)/10000|eval a2=CLOSE+(CLOSE*75)/10000|
eval i2=CLOSE-(CLOSE*25)/1000 | eval o2=CLOSE+(CLOSE*25)/1000 |table a1 a2 i2 o2 CLOSE]|
eval ty=case(STRIKE_PR>=9839.46 AND STRIKE_PR<10016,"IN",STRIKE_PR>=10016 AND STRIKE_PR<10167,"AT"
,STRIKE_PR>=10167 AND STRIKE_PR<=10344,"OUT",1==1, NULL) | search ty!=NULL |

I need to use the values of fields a1 a2 i2 o2 in the case statement written above, such that my statement appears like-
eval ty=case(STRIKE_PR>=i2 AND STRIKE_PR=a1 AND STRIKE_PR=a2AND STRIKE_PR<=o2,"OUT",1==1, NULL) | search ty!=NULL |

But splunk doesn't give me any results when i use fields name instead of the numeric value.

Can someone figure out what the problem is?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎08-10-2017 01:40 AM

Yes, you can use fields in case statements. Here is a simple example that proves it.

| makeresults 
| fields - _time
| eval thresh = 3, value = 3
| eval result = case(thresh > value, "lower", thresh < value, "higher", thresh == value, "equal", 1==1, "0")

Without having your actual data, one suggestion I would make is replace NULL with NULL() in the case statement. Then change the following search to | WHERE isnotnull(ty). Maybe the fact that you are using search against a table of field values and not _raw is the issue.

So the modified search would be

index= sourcetype= 
| stats values(OPEN_INT) as int by 
OPTION_TYP STRIKE_PR 
| appendcols [|search index= sourcetype= 
OPTION_TYP=XX | eval a1=CLOSE-(CLOSE*75)/10000|eval a2=CLOSE+(CLOSE*75)/10000| 
eval i2=CLOSE-(CLOSE*25)/1000 | eval o2=CLOSE+(CLOSE*25)/1000 |table a1 a2 i2 o2 CLOSE]
| eval ty=case(STRIKE_PR>=9839.46 AND STRIKE_PR<10016,"IN",STRIKE_PR>=10016 AND STRIKE_PR<10167,"AT"
,STRIKE_PR>=10167 AND STRIKE_PR<=10344,"OUT",1==1, NULL()) 
| where isnotnull(ty)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎08-10-2017 01:40 AM

Yes, you can use fields in case statements. Here is a simple example that proves it.

| makeresults 
| fields - _time
| eval thresh = 3, value = 3
| eval result = case(thresh > value, "lower", thresh < value, "higher", thresh == value, "equal", 1==1, "0")

Without having your actual data, one suggestion I would make is replace NULL with NULL() in the case statement. Then change the following search to | WHERE isnotnull(ty). Maybe the fact that you are using search against a table of field values and not _raw is the issue.

So the modified search would be

index= sourcetype= 
| stats values(OPEN_INT) as int by 
OPTION_TYP STRIKE_PR 
| appendcols [|search index= sourcetype= 
OPTION_TYP=XX | eval a1=CLOSE-(CLOSE*75)/10000|eval a2=CLOSE+(CLOSE*75)/10000| 
eval i2=CLOSE-(CLOSE*25)/1000 | eval o2=CLOSE+(CLOSE*25)/1000 |table a1 a2 i2 o2 CLOSE]
| eval ty=case(STRIKE_PR>=9839.46 AND STRIKE_PR<10016,"IN",STRIKE_PR>=10016 AND STRIKE_PR<10167,"AT"
,STRIKE_PR>=10167 AND STRIKE_PR<=10344,"OUT",1==1, NULL()) 
| where isnotnull(ty)
0 Karma
Reply
Solved! Jump to solution

shivi_tcs
Engager
‎08-10-2017 03:09 AM

Hi,
Thanks for replying.
I got a part of solution from your answer!

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎08-10-2017 03:15 AM

Glad to hear you got it cleared up. Please award points or accept it as the answer if your issue is resolved.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top