Solved: how to get the case function to have multiple stat...

spicy · ‎05-11-2021

The case function seems to finding the first true statement and displays that value. Is there another function or different way to use case to get the results i want below? There are different events with similar features below, want something that would use for all different scenarios of when something is true or false.

Event Fields i am filtering on:
vpn=true
proxy=false
tor=true

What im using:
| eval anon= case(vpn="true", "vpn" , proxy="true", "proxy", tor="true", "tor")

results im getting:
anon=vpn

results i want:
anon=vpn
tor

thanks for any help!

ITWhisperer · ‎05-11-2021

| makeresults
| eval vpn="true"
| eval proxy="false"
| eval tor="true"
| foreach vpn proxy tor
    [| eval anon=if(<<FIELD>>="true",if(isnull(anon),"<<FIELD>>",mvappend(anon,"<<FIELD>>")),anon)]

View solution in original post

ITWhisperer · ‎05-11-2021

| makeresults
| eval vpn="true"
| eval proxy="false"
| eval tor="true"
| foreach vpn proxy tor
    [| eval anon=if(<<FIELD>>="true",if(isnull(anon),"<<FIELD>>",mvappend(anon,"<<FIELD>>")),anon)]

spicy · ‎05-11-2021

Thanks! Gonna have to apply this knowledge to other queries now

how to get the case function to have multiple status, when multiple fields are true

eval

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

how to get the case function to have multiple status, when multiple fields are true

eval

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University