Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How could I get multiple result when using "case"?

Questioner
Path Finder
‎08-16-2023 01:39 AM

I want to show this requirement in splunk.

  • when year<="2020" &&  time_type = "ALL" make variable "day_type" must have "day"
  • when year>"2020" &&  time_type = "ALL" make variable  "day_type" can have "day" and "night"
  • when time_type="half" make variable "day_type" must have "morning"

So, I wrote my code like this, but it doesn't working at all.

where day_type = case("$time_type$"=="ALL", case("$year$"<="2020", "day",1=1, in("day","night")), "$time_type$"=="half", "morning", 1=1,day_type)

 How could I make this Requirement ??

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-16-2023 02:06 AM

Are you trying to filter your events based on the values in these fields?

| where (year<=2020 AND time_type=="ALL" AND day_type=="day") OR (year>2020 AND time_type="ALL" AND (day_type=="day" OR day_type=="night")) OR (time_type=="half" AND day_type=="morning")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Manasa_401
Communicator
‎08-16-2023 08:49 AM

Hi @Questioner 

First using an eval create a day_type field with the conditions and next you can use where command to filter for the day_type you need.

| eval day_type=case(time_type="ALL" AND year<=2020,"day",time_type = "ALL" AND year>2020,"day night",1=1,"morning")
| where like(day_type,"%day%")

 You can pass the token in where command

 

If this answer helps, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

Questioner
Path Finder
‎08-17-2023 08:13 PM

But it cound not recognized " like(day_type, "%day")"
It said the expression is malformed.😢

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-16-2023 02:06 AM

Are you trying to filter your events based on the values in these fields?

| where (year<=2020 AND time_type=="ALL" AND day_type=="day") OR (year>2020 AND time_type="ALL" AND (day_type=="day" OR day_type=="night")) OR (time_type=="half" AND day_type=="morning")
0 Karma
Reply
Solved! Jump to solution

Questioner
Path Finder
‎08-17-2023 09:51 PM

I never thought of it this way.

Thank you for your information!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...