Splunk Search

how to get the field names based on the case statement conditions?

This is my query

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() |
convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,voderrorcode,m=56,status) | stats count by switcherValue

I have to get the field name based on the m value in the case.Even though Iam not giving the quotes case statement is trating as string,because of this iam not getting switchervalue as filedname.

Please advise me how to get the fieldname from case statement instead a string.

0 Karma

Legend

I have to point out that there are some other problems with your search. I have shown it below so that I can refer to it line-by-line

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" 
| stats count AS tnow 
| eval tnow = now() 
| convert ctime(tnow) 
| eval n= substr(tnow,15,15) 
| eval m= substr(n,0,2)
| eval switcherValue=case(m=55,voderrorcode,m=56,status) 
| stats count by switcherValue

In line 2, the stats command is unnecessary, because you overwrite the value of tnow in line 3 with the time that this search began. Did you really mean to use now()? I would have expected to use _time, but then I don't understand the condition you are testing. Finally, you seem to be manipulating the time to pick off certain characters in lines 3-5, but this seems like a hard way to do it.

Why not do this?

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" 
| eval m = strftime(now(),"%M")
| eval switcherValue=case(m==55,voderrorcode,
     m==56,status,
     1==1,null()) 
| stats count by switcherValue

I was too lazy to figure out what all the substr was about, so i just set m to the minutes portion of the time. If you wanted some other part of the time, look here for the codes: Common Time Format Variables

Also, note that I added a third option to the case function - what if m is something other than 55 or 56? In that case, I set switcherValue to null, but you could set it to something else.

SplunkTrust
SplunkTrust

Try following

sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() | 
convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,voderrorcode,m=56,status) | eval sno=1| chart count over sno by switcherValue | fields - sno
0 Karma

in the above search i kept m values in quotes | eval switcherValue=case(m="55",voderrorcode,m="56",status) | stats count by switcherValue

0 Karma