- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: comparing two field not working with eval case
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
comparing two field not working with eval case
I have search below ..
|inputlookup biweekly_backup | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases inspected" | rex field=_raw "^(?:[^:\n]*:){3}\s+(?P.+)"] | convert num(TDBs) | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases backed up" | rex field=_raw "^(?P[^ ]+)(?:[^:\n]*:){3}\s+(?P.+)"] | convert num(DBBackedup) | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases excluded" | rex field=_raw "^(?:[^:\n]*:){3}\s+(?P\s+\d+)"] | table host BDate TDBs DBBackedup DBexcluded
| dedup host
| eval DB_NotBackedup = (TDBs - DBBackedup)
| fillnull value=NoData
| eval Backup_Status=case(DB_NotBackedup>DBexcluded, "BackupFailed - RunEffBackup", DBBackedup="NoData", "BackupMissed - RunFullBackup", 1=1, "Success") | table Backup_Status BDate TDBs DBBackedup DBexcluded DB_NotBackedup
while comparing in |eval Backup_Status=case(DB_NotBackedup>DBexcluded,
it doesn't take field values to compare
but when i provide numeric values instead , it does,, e.g. |eval Backup_Status=case(DB_NotBackedup>4, ......
any idea what is missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your query looks fine to me. What's happening when you run the result ? Did you check that you don't have blank or null value in DBexcluded?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try rewriting your case with double = for comparison and use a space between the greater than symbol and the next variable name. Keep in mind this symbol can be part of the variable name (this is valid code | eval field>A = "random text" 😞
| eval Backup_Status = case(
DB_NotBackedup > DBexcluded, "BackupFailed - RunEffBackup",
DBBackedup == "NoData", "BackupMissed - RunFullBackup",
1==1, "Success"
)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
still the same
output
Backup_Status BDate TDBs DBBackedup DBexcluded DB_NotBackedup
1 BackupFailed - RunEffBackup 07/30/2016 1581 1566 3 15
2 BackupFailed - RunEffBackup 07/24/2016 1278 1275 3 3
3 BackupFailed - RunEffBackup 07/31/2016 2165 2162 3 3
4 BackupFailed - RunEffBackup 07/23/2016 678 677 1 1
5 BackupFailed - RunEffBackup 07/30/2016 1918 1915 2 3
6 BackupFailed - RunEffBackup 07/23/2016 1272 1268 3 4
7 BackupFailed - RunEffBackup 07/23/2016 11009 11009 0 0
8 BackupFailed - RunEffBackup 07/31/2016 10020 10019 1 1
9 BackupMissed - RunFullBackup NoData NoData NoData NoData NoData
as per condition, no1 and no 6 should be success but it is not.. !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then it seems like the "BDexcluded" field is not an number. you can test it with the eval function isnum(X)
see https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Informational...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
