Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timecharting 2 seperate data sources with a case statement. What about this makes it so it will never get the label "msad", EVER

clozach
Path Finder
‎11-14-2019 01:55 PM

Something about this search makes it so we absolutely never get into the case that would label the column "msad". I have tried switching everything up: Making the zscaler case first, changing the msad case so that it just needs to meet the condition =* and every other tweak of syntax and values.

As an FYI, I have tried searching the default search separately and get events that meet both of the criteria mentioned in the case statement.

(index=zscaler) OR (index=msad) query=*debug*opendns*
 | eval field=case(index="msad" AND query="*debug*","msad",index="zscaler" AND query="debug.opendns.com","Zscaler", true(),"undefined")
 | timechart span=1h count by field

In this situation, it defaults to the undefined, which technically is all the events that I want labeled as msad and could change that to get desired results, but I'm posting this question because I am trying to understand the functionality of this command more then finding a workaround.

To me, it's very frustrating that the case statement will work with the zscaler events, but not with msad no matter how I change the case statement. I would really appreciate someone explaining the disconnect I am experiencing.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-14-2019 04:09 PM

You are mixing AND with OR without parentheses, which is always terrible, but the real problem is that eval and where treat * as a string literal. Check our or conference talk here:
https://www.youtube.com/watch?v=wAVnQIoH3Zc
In the meantime , try this:

((index=zscaler) OR (index=msad)) AND query="*debug*opendns*"
| eval field=case(index="msad" AND match(query, "debug"), "msad",
   index="zscaler" AND query="debug.opendns.com", "Zscaler",
   true(), "undefined")

| timechart span=1h count BY field

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-14-2019 04:09 PM

You are mixing AND with OR without parentheses, which is always terrible, but the real problem is that eval and where treat * as a string literal. Check our or conference talk here:
https://www.youtube.com/watch?v=wAVnQIoH3Zc
In the meantime , try this:

((index=zscaler) OR (index=msad)) AND query="*debug*opendns*"
| eval field=case(index="msad" AND match(query, "debug"), "msad",
   index="zscaler" AND query="debug.opendns.com", "Zscaler",
   true(), "undefined")

| timechart span=1h count BY field

0 Karma
Reply
Solved! Jump to solution

clozach
Path Finder
‎11-15-2019 07:19 AM

Thanks so much! I'll definitely check it out!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...