Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timecharting 2 seperate data sources with a case statement. What about this makes it so it will never get the label "msad", EVER

clozach
Path Finder
‎11-14-2019 01:55 PM

Something about this search makes it so we absolutely never get into the case that would label the column "msad". I have tried switching everything up: Making the zscaler case first, changing the msad case so that it just needs to meet the condition =* and every other tweak of syntax and values.

As an FYI, I have tried searching the default search separately and get events that meet both of the criteria mentioned in the case statement.

(index=zscaler) OR (index=msad) query=*debug*opendns*
 | eval field=case(index="msad" AND query="*debug*","msad",index="zscaler" AND query="debug.opendns.com","Zscaler", true(),"undefined")
 | timechart span=1h count by field

In this situation, it defaults to the undefined, which technically is all the events that I want labeled as msad and could change that to get desired results, but I'm posting this question because I am trying to understand the functionality of this command more then finding a workaround.

To me, it's very frustrating that the case statement will work with the zscaler events, but not with msad no matter how I change the case statement. I would really appreciate someone explaining the disconnect I am experiencing.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-14-2019 04:09 PM

You are mixing AND with OR without parentheses, which is always terrible, but the real problem is that eval and where treat * as a string literal. Check our or conference talk here:
https://www.youtube.com/watch?v=wAVnQIoH3Zc
In the meantime , try this:

((index=zscaler) OR (index=msad)) AND query="*debug*opendns*"
| eval field=case(index="msad" AND match(query, "debug"), "msad",
   index="zscaler" AND query="debug.opendns.com", "Zscaler",
   true(), "undefined")

| timechart span=1h count BY field

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-14-2019 04:09 PM

You are mixing AND with OR without parentheses, which is always terrible, but the real problem is that eval and where treat * as a string literal. Check our or conference talk here:
https://www.youtube.com/watch?v=wAVnQIoH3Zc
In the meantime , try this:

((index=zscaler) OR (index=msad)) AND query="*debug*opendns*"
| eval field=case(index="msad" AND match(query, "debug"), "msad",
   index="zscaler" AND query="debug.opendns.com", "Zscaler",
   true(), "undefined")

| timechart span=1h count BY field

0 Karma
Reply
Solved! Jump to solution

clozach
Path Finder
‎11-15-2019 07:19 AM

Thanks so much! I'll definitely check it out!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...