×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Damndionic
Engager
Member since: ‎03-31-2025
‎03-31-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-31-2025
Activity Feed
Topics I've Started
View All

case eval only showing 1 result

by in Splunk Search
‎03-31-2025 01:59 PM
‎03-31-2025 01:59 PM
I've scowered the internet trying to find a similar issue with no avail.  | rex field=userRiskData.general "do\:(?<deviceOs>.+?)\|di\:(?<deviceId>.+?)\|db\:" | eval validUser=if(isnotnull(userRiskData.uuid),"Valid","Invalid") | eval op = case(deviceOs>"iOS 1" OR deviceOs<"iOS 999","iOS", deviceOs>"Android 0" OR deviceOs< "Android 999", "Android", 1=1, Other) | eval FullResult=validUser. "-" .outcome. "-" .op I am extracting a device OS from a general field, I don't have permissions to extract it as a perminent field.  When trying to do the eval do truncate the different iOS and Android versions as just "iOS" and "Android", the case is only showing the first OS type in the query. If i change the order to android it'll show android and no iOS, if i keep it as it, it only shows iOS. Is this due to the rex command or am i messing up syntax somewhere?   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-31-2025 06:44 PM