Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

case function -- why can't I operate on the results of a case function?

pgiffd
New Member
‎06-23-2017 02:35 PM

case function -- why can't I operate on the results of a case function? After the eval case function, I got 100 rows. I want to eliminate 30 of them using a standard where clause. (ex. where fieldA = "X" should remove all rows where fieldA = "Y".) All the rows remain. How can I exclude rows? I need to execute 5 cases, and then at the end I want to remove what wasn't found in any of them.

Tags (2)
0 Karma
Reply

acharlieh
Influencer
‎06-23-2017 03:24 PM

This was getting long for a comment...

(ex. where fieldA = "X" should remove all rows where fieldA = "Y".)

This is not actually correct... unset/null fields, and multivalued fields make this logic a bit more complex. |where fieldA="X" keeps all rows where a value of the field is X... some of those rows could have fieldA="Y" as well.

I'm going to use this runanywhere query for an example base query: 

| makeresults count=12 | streamstats count | eval fieldA=case(count%4=1,"X",count%4=2,"Y",count%4=3,split("X,Y",","))

We have 3 rows (1,5,9) where fieldA="X", 3 rows (2,6,10) where fieldA="Y", 3 rows (3,7,11) where fieldA is both, and 3 rows (4,8,12) where fieldA is null.

<basesearch> | where fieldA="X"

actually gives 6 rows (1,5,9, and 3,7,11), on half of these, fieldA="Y" 

<basesearch> | where NOT fieldA="Y"

which gives you 6 rows (1,5,9 and 4,8,12)... on the latter 3 now, fieldA doesn't exist, so fieldA="Y" is false 

<basesearch> | where fieldA!="Y"

which gives you only 3 rows (1,5,9) (or where fieldA equals a value that isn't Y)

<basesearch> | where isnull(fieldA)

which gives you only the 3 rows (4,8,12) where fieldA isn't any value at all

This should also show that using eval with case to generate a field and then filter on it with where is indeed possible, and the last one might be what you're looking for, but as @pyro_wood mentions to solve your particular case we likely need more specific information.

Reply

DalJeanis
Legend
‎06-23-2017 04:31 PM

@charlieh gave you a great answer and a demo why.

Just in case you need to understand what to do about it, here's one way...

| eval mynewfield=case(firsttest=1,"pass1",  secondtest="whatever","pass2",   .... lasttest="ok","lastpass",   true(),null()   )
| where isnotnull(mynewfield)
0 Karma
Reply

horsefez
Motivator
‎06-23-2017 02:45 PM

Hi,

it's not very clear what you are trying to do, or whats the actual problem.
Please post your query and some sample events.
Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...