Splunk Search

case: defaulting to "value" rather than NULL

Engager

Hi,
I'm using an "eval myvar=case(...)" like the one in the splunk documentation:

... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

If 'case' encounters a value for 'error' that is not identified in the mapping then it converts it to the default string "NULL". Is there some trick I can use to have it simply leave it alone and return the raw value itself?

For example using the above fragment, I'd like to have the pseudo-input of

  "404 ; 200 ; 600" 

map to

  Not Found ; OK ; 600

rather than

  Not Found ; OK ; NULL

I understand that 'case' doesn't do this [Splunk guys: enhancement request!], but are there any pre-processing tricks I can use retain the values that 'case' would obscure?

thanks.

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

Case can definitely provide a default. Have your last pairing evaluate to true, and provide your default. The default value can be the name of a field, as well.

eval foo=case(x>0, "Positive", x<0, "Negative", 1=1, x)

View solution in original post

Is there still no else statement? This does not seem like an elegant solution.

0 Karma

Splunk Employee
Splunk Employee

Case can definitely provide a default. Have your last pairing evaluate to true, and provide your default. The default value can be the name of a field, as well.

eval foo=case(x>0, "Positive", x<0, "Negative", 1=1, x)

View solution in original post

Path Finder

@sowings ,

Just wonder why you used 1=1 and not true().

Is one approach better than another?

 

0 Karma

Champion

Hi

there was days when there haven’t been true() as function, for that reason 1=1 was a way to do that.

r. Ismo

0 Karma