Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- case eval only showing 1 result
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've scowered the internet trying to find a similar issue with no avail.
| rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:"
| eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid")
| eval op = case(deviceOs>"iOS 1" OR deviceOs<"iOS 999","iOS", deviceOs>"Android 0" OR deviceOs< "Android 999", "Android", 1=1, Other)
| eval FullResult=validUser. "-" .outcome. "-" .opI am extracting a device OS from a general field, I don't have permissions to extract it as a perminent field.
When trying to do the eval do truncate the different iOS and Android versions as just "iOS" and "Android", the case is only showing the first OS type in the query. If i change the order to android it'll show android and no iOS, if i keep it as it, it only shows iOS.
Is this due to the rex command or am i messing up syntax somewhere?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Damndionic,
The issue with your case function is the use of comparison operators that aren't correctly evaluating version strings. The case function cannot operate mathematical functions like greater or less-than on the string value provided. Here's how you can fix it:
- Replace the conditional checks with regular expressions to correctly identify "iOS" and "Android".
- Use match() for regex comparisons.
Here's a revised version of your query:
| rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:"
| eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid")
| eval op = case(
match(deviceOs, "^iOS"), "iOS",
match(deviceOs, "^Android"), "Android",
true, "Other"
)
| eval FullResult=validUser. "-" .outcome. "-" .opExplanation:
- match(deviceOs, "^iOS") checks if the deviceOs string starts with "iOS".
- match(deviceOs, "^Android") checks if the deviceOs string starts with "Android".
- The true condition acts as a default to catch other cases.
Here is a full example using makeresults:
| makeresults
| eval userRiskData.general="do:Windows|di:12345|db:789", userRiskData.uuid="abc-123-uuid"
| append
[| makeresults
| eval userRiskData.general="do:Linux|di:67890|db:321", userRiskData.uuid=null]
| append
[| makeresults
| eval userRiskData.general="do:macOS|di:54321|db:333", userRiskData.uuid="def-456-uuid"]
| append
[| makeresults
| eval userRiskData.general="do:iOS 19|di:98765|db:444", userRiskData.uuid="ghi-789-uuid"]
| append
[| makeresults
| eval userRiskData.general="do:iOS 12|di:19283|db:555", userRiskData.uuid=null]
| rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:"
| eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid")
| eval op = case(
match(deviceOs, "^iOS"), "iOS",
match(deviceOs, "^Android"), "Android",
true(), "Other"
)🌟 Did this answer help you? If so, please consider:
- Adding kudos to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Damndionic,
The issue with your case function is the use of comparison operators that aren't correctly evaluating version strings. The case function cannot operate mathematical functions like greater or less-than on the string value provided. Here's how you can fix it:
- Replace the conditional checks with regular expressions to correctly identify "iOS" and "Android".
- Use match() for regex comparisons.
Here's a revised version of your query:
| rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:"
| eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid")
| eval op = case(
match(deviceOs, "^iOS"), "iOS",
match(deviceOs, "^Android"), "Android",
true, "Other"
)
| eval FullResult=validUser. "-" .outcome. "-" .opExplanation:
- match(deviceOs, "^iOS") checks if the deviceOs string starts with "iOS".
- match(deviceOs, "^Android") checks if the deviceOs string starts with "Android".
- The true condition acts as a default to catch other cases.
Here is a full example using makeresults:
| makeresults
| eval userRiskData.general="do:Windows|di:12345|db:789", userRiskData.uuid="abc-123-uuid"
| append
[| makeresults
| eval userRiskData.general="do:Linux|di:67890|db:321", userRiskData.uuid=null]
| append
[| makeresults
| eval userRiskData.general="do:macOS|di:54321|db:333", userRiskData.uuid="def-456-uuid"]
| append
[| makeresults
| eval userRiskData.general="do:iOS 19|di:98765|db:444", userRiskData.uuid="ghi-789-uuid"]
| append
[| makeresults
| eval userRiskData.general="do:iOS 12|di:19283|db:555", userRiskData.uuid=null]
| rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:"
| eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid")
| eval op = case(
match(deviceOs, "^iOS"), "iOS",
match(deviceOs, "^Android"), "Android",
true(), "Other"
)🌟 Did this answer help you? If so, please consider:
- Adding kudos to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
