Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

problem with using of CASE results

iKate
Builder
‎03-28-2012 04:37 AM

Hi everyone!

Could you please tell me why my search doesn't work.
It has variable click.value $offer_var$ that can be one of the several offer names. Each offer has distinct value of times that a user can exploit it. I need to figue out how many users have reached the maximum value.

source="my_source", service_id="my_service_id" tx_status_id=COMPLETED | fillnull value=none offer_uid | where offer_uid=$offer_var$ | eval max_usage=case(offer_uid == "free_winter", 2, offer_uid == "free_summer", 15, offer_uid == "free_spring", 10) | stats count as usage by user_uid | stats count(eval(usage = max_usage)) as used_offer_completely

For testing purposes I put the name of one of the offers instead of $offer_var$.
Search shows 0 for used_offer_completely but the real result should be other.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

iKate
Builder
‎01-22-2013 01:24 PM

I've stumbeled upon my old question and realized that I should change the query as follows:

source="my_source", service_id="my_service_id" tx_status_id=COMPLETED | fillnull value=none offer_uid | where offer_uid=$offer_var$ | eval max_usage=case(offer_uid == "free_winter", 2, offer_uid == "free_summer", 15, offer_uid == "free_spring", 10) | eventstats count as usage by user_uid | stats count(eval(usage = "max_usage")) as used_offer_completely

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

iKate
Builder
‎01-22-2013 01:24 PM

I've stumbeled upon my old question and realized that I should change the query as follows:

source="my_source", service_id="my_service_id" tx_status_id=COMPLETED | fillnull value=none offer_uid | where offer_uid=$offer_var$ | eval max_usage=case(offer_uid == "free_winter", 2, offer_uid == "free_summer", 15, offer_uid == "free_spring", 10) | eventstats count as usage by user_uid | stats count(eval(usage = "max_usage")) as used_offer_completely

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...