Solved: how to get the case function to have multiple stat...

spicy · ‎05-11-2021

The case function seems to finding the first true statement and displays that value. Is there another function or different way to use case to get the results i want below? There are different events with similar features below, want something that would use for all different scenarios of when something is true or false.

Event Fields i am filtering on:
vpn=true
proxy=false
tor=true

What im using:
| eval anon= case(vpn="true", "vpn" , proxy="true", "proxy", tor="true", "tor")

results im getting:
anon=vpn

results i want:
anon=vpn
tor

thanks for any help!

ITWhisperer · ‎05-11-2021

| makeresults
| eval vpn="true"
| eval proxy="false"
| eval tor="true"
| foreach vpn proxy tor
    [| eval anon=if(<<FIELD>>="true",if(isnull(anon),"<<FIELD>>",mvappend(anon,"<<FIELD>>")),anon)]

View solution in original post

ITWhisperer · ‎05-11-2021

| makeresults
| eval vpn="true"
| eval proxy="false"
| eval tor="true"
| foreach vpn proxy tor
    [| eval anon=if(<<FIELD>>="true",if(isnull(anon),"<<FIELD>>",mvappend(anon,"<<FIELD>>")),anon)]

spicy · ‎05-11-2021

Thanks! Gonna have to apply this knowledge to other queries now

how to get the case function to have multiple status, when multiple fields are true

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation