Hi @Damndionic, The issue with your case function is the use of comparison operators that aren't correctly evaluating version strings. The case function cannot operate mathematical functions like gr...
See more...
Hi @Damndionic, The issue with your case function is the use of comparison operators that aren't correctly evaluating version strings. The case function cannot operate mathematical functions like greater or less-than on the string value provided. Here's how you can fix it: Replace the conditional checks with regular expressions to correctly identify "iOS" and "Android". Use match() for regex comparisons. Here's a revised version of your query: | rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:"
| eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid")
| eval op = case(
match(deviceOs, "^iOS"), "iOS",
match(deviceOs, "^Android"), "Android",
true, "Other"
)
| eval FullResult=validUser. "-" .outcome. "-" .op Explanation: match(deviceOs, "^iOS") checks if the deviceOs string starts with "iOS". match(deviceOs, "^Android") checks if the deviceOs string starts with "Android". The true condition acts as a default to catch other cases. Here is a full example using makeresults: | makeresults
| eval userRiskData.general="do:Windows|di:12345|db:789", userRiskData.uuid="abc-123-uuid"
| append
[| makeresults
| eval userRiskData.general="do:Linux|di:67890|db:321", userRiskData.uuid=null]
| append
[| makeresults
| eval userRiskData.general="do:macOS|di:54321|db:333", userRiskData.uuid="def-456-uuid"]
| append
[| makeresults
| eval userRiskData.general="do:iOS 19|di:98765|db:444", userRiskData.uuid="ghi-789-uuid"]
| append
[| makeresults
| eval userRiskData.general="do:iOS 12|di:19283|db:555", userRiskData.uuid=null]
| rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:"
| eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid")
| eval op = case(
match(deviceOs, "^iOS"), "iOS",
match(deviceOs, "^Android"), "Android",
true(), "Other"
) Did this answer help you? If so, please consider: Adding kudos to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing