Solved: how to get the case function to have multiple stat...

spicy · ‎05-11-2021

The case function seems to finding the first true statement and displays that value. Is there another function or different way to use case to get the results i want below? There are different events with similar features below, want something that would use for all different scenarios of when something is true or false.

Event Fields i am filtering on:
vpn=true
proxy=false
tor=true

What im using:
| eval anon= case(vpn="true", "vpn" , proxy="true", "proxy", tor="true", "tor")

results im getting:
anon=vpn

results i want:
anon=vpn
tor

thanks for any help!

ITWhisperer · ‎05-11-2021

| makeresults
| eval vpn="true"
| eval proxy="false"
| eval tor="true"
| foreach vpn proxy tor
    [| eval anon=if(<<FIELD>>="true",if(isnull(anon),"<<FIELD>>",mvappend(anon,"<<FIELD>>")),anon)]

View solution in original post

ITWhisperer · ‎05-11-2021

| makeresults
| eval vpn="true"
| eval proxy="false"
| eval tor="true"
| foreach vpn proxy tor
    [| eval anon=if(<<FIELD>>="true",if(isnull(anon),"<<FIELD>>",mvappend(anon,"<<FIELD>>")),anon)]

spicy · ‎05-11-2021

Thanks! Gonna have to apply this knowledge to other queries now

how to get the case function to have multiple status, when multiple fields are true

eval

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life