Splunk Search

how to get the field names based on the case statement conditions?

lahariveerlapat
Explorer

This is my query

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() |
convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,voderrorcode,m=56,status) | stats count by switcherValue

I have to get the field name based on the m value in the case.Even though Iam not giving the quotes case statement is trating as string,because of this iam not getting switchervalue as filedname.

Please advise me how to get the fieldname from case statement instead a string.

0 Karma

lguinn2
Legend

I have to point out that there are some other problems with your search. I have shown it below so that I can refer to it line-by-line

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" 
| stats count AS tnow 
| eval tnow = now() 
| convert ctime(tnow) 
| eval n= substr(tnow,15,15) 
| eval m= substr(n,0,2)
| eval switcherValue=case(m=55,voderrorcode,m=56,status) 
| stats count by switcherValue

In line 2, the stats command is unnecessary, because you overwrite the value of tnow in line 3 with the time that this search began. Did you really mean to use now()? I would have expected to use _time, but then I don't understand the condition you are testing. Finally, you seem to be manipulating the time to pick off certain characters in lines 3-5, but this seems like a hard way to do it.

Why not do this?

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" 
| eval m = strftime(now(),"%M")
| eval switcherValue=case(m==55,voderrorcode,
     m==56,status,
     1==1,null()) 
| stats count by switcherValue

I was too lazy to figure out what all the substr was about, so i just set m to the minutes portion of the time. If you wanted some other part of the time, look here for the codes: Common Time Format Variables

Also, note that I added a third option to the case function - what if m is something other than 55 or 56? In that case, I set switcherValue to null, but you could set it to something else.

somesoni2
SplunkTrust
SplunkTrust

Try following

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() | 
convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,voderrorcode,m=56,status) | eval sno=1| chart count over sno by switcherValue | fields - sno
0 Karma

lahariveerlapat
Explorer

in the above search i kept m values in quotes | eval switcherValue=case(m="55",voderrorcode,m="56",status) | stats count by switcherValue

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...