Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

eval statement not giving expected result

hrishi_deshpand
Explorer
‎09-08-2021 10:05 AM

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval message = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected",1=1,msg)|stats sum(Count) as Count by message | table message Count

 

I am having msg in event which contains Auto Approve or  Auto Rejected in between a big sentence

I want to count auto approve and auto rejected events but it doesn't give the expected result.

 

 

Labels (3)
Labels
0 Karma
Reply

hrishi_deshpand
Explorer
‎09-08-2021 10:36 AM

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval msg = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected", like(msg,"%manual review%"),"Manual Review")|stats count by msg | table msg, count

 

this worked perfectly just incase any one interested thanks

0 Karma
Reply

hrishi_deshpand
Explorer
‎09-08-2021 10:18 AM

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval msg = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected")|stats count by msg | table count, msg

 

 

able to get the grouping but visualization for pie chart says need numeric data

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-08-2021 10:30 AM

You don't need the table command at the end for the visualization; remove it and it should work. 

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-08-2021 10:12 AM

Can you provide an anonymized sample event?

Also, what IS the unexpected result you are getting?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...