Re: eval statement not giving expected result

hrishi_deshpand · ‎09-08-2021

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval message = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected",1=1,msg)|stats sum(Count) as Count by message | table message Count

I am having msg in event which contains Auto Approve or Auto Rejected in between a big sentence

I want to count auto approve and auto rejected events but it doesn't give the expected result.

hrishi_deshpand · ‎09-08-2021

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval msg = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected", like(msg,"%manual review%"),"Manual Review")|stats count by msg | table msg, count

this worked perfectly just incase any one interested thanks

hrishi_deshpand · ‎09-08-2021

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval msg = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected")|stats count by msg | table count, msg

able to get the grouping but visualization for pie chart says need numeric data

s2_splunk · ‎09-08-2021

You don't need the table command at the end for the visualization; remove it and it should work.

s2_splunk · ‎09-08-2021

Can you provide an anonymized sample event?

Also, what IS the unexpected result you are getting?

eval statement not giving expected result

eval

fields

table

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes