Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timecharting 2 seperate data sources with a case statement. What about this makes it so it will never get the label "msad", EVER

clozach
Path Finder
‎11-14-2019 01:55 PM

Something about this search makes it so we absolutely never get into the case that would label the column "msad". I have tried switching everything up: Making the zscaler case first, changing the msad case so that it just needs to meet the condition =* and every other tweak of syntax and values.

As an FYI, I have tried searching the default search separately and get events that meet both of the criteria mentioned in the case statement.

(index=zscaler) OR (index=msad) query=*debug*opendns*
 | eval field=case(index="msad" AND query="*debug*","msad",index="zscaler" AND query="debug.opendns.com","Zscaler", true(),"undefined")
 | timechart span=1h count by field

In this situation, it defaults to the undefined, which technically is all the events that I want labeled as msad and could change that to get desired results, but I'm posting this question because I am trying to understand the functionality of this command more then finding a workaround.

To me, it's very frustrating that the case statement will work with the zscaler events, but not with msad no matter how I change the case statement. I would really appreciate someone explaining the disconnect I am experiencing.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-14-2019 04:09 PM

You are mixing AND with OR without parentheses, which is always terrible, but the real problem is that eval and where treat * as a string literal. Check our or conference talk here:
https://www.youtube.com/watch?v=wAVnQIoH3Zc
In the meantime , try this:

((index=zscaler) OR (index=msad)) AND query="*debug*opendns*"
| eval field=case(index="msad" AND match(query, "debug"), "msad",
   index="zscaler" AND query="debug.opendns.com", "Zscaler",
   true(), "undefined")

| timechart span=1h count BY field

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-14-2019 04:09 PM

You are mixing AND with OR without parentheses, which is always terrible, but the real problem is that eval and where treat * as a string literal. Check our or conference talk here:
https://www.youtube.com/watch?v=wAVnQIoH3Zc
In the meantime , try this:

((index=zscaler) OR (index=msad)) AND query="*debug*opendns*"
| eval field=case(index="msad" AND match(query, "debug"), "msad",
   index="zscaler" AND query="debug.opendns.com", "Zscaler",
   true(), "undefined")

| timechart span=1h count BY field

0 Karma
Reply
Solved! Jump to solution

clozach
Path Finder
‎11-15-2019 07:19 AM

Thanks so much! I'll definitely check it out!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...