Solved: multiple case statement not working

samneo · ‎11-08-2021

Im working with JSON data and the structure is as per the below

data: { [-]
     application: { [+]
     }
     completedAt: 1636133794444
     environments: [ [-]
       { [-]
         id: XNu1-l8oROOOSM5gpoSR0g
       }
       { [-]
         id: _LY0B7VpRq64tHXq7Uy55A
       }
       { [-]
         id: 7KbvgSBMSUSUyAn2hMXSQA
       }
       { [-]
         id: dJ7EuItjSG2M47-zvIvimQ
       }
     ]

Now when i use a case function for this like the below:

|eval env = case('data.environments{}.id'=="7KbvgSBMSUSUyAn2hMXSQA", "prd-au", 'data.environments{}.id'=="_LY0B7VpRq64tHXq7Uy55A", "prd-gb")

It only ever brings me back 1 result and thats whatever is placed first in the case function so the above returns prd-au and if i swap the values around then it will return prd-gb. I presume this is something to do with how the JSON data is working with splunk causing it to error out but unsure how to resolve?

any ideas?

ITWhisperer · ‎11-08-2021

You would need to expand the event into multiple events, try something like this

| mvexapnd 'data.environments{}.id'

View solution in original post

samneo · ‎11-08-2021

thanks @ITWhisperer is there a way round this so i can get all values?

ITWhisperer · ‎11-08-2021

You would need to expand the event into multiple events, try something like this

| mvexapnd 'data.environments{}.id'

ITWhisperer · ‎11-08-2021

Splunk is working with a pipeline of events - the events in the pipeline include multivalue fields such as data.environments{}.id - the eval case finds a match among the multivalues for the first test hence you get the results you are getting

multiple case statement not working

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms