Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create a case statement with NOT LIKE option?

zacksoft
Contributor
‎05-22-2018 02:24 AM 
| eval usage=case(like(_raw,"%FirstClass%"),"A_Grade",like(_raw,"%SecondClass%"),"B_Grade",like(_raw,"%ThirdClass%"),"C_Grade")

My question is, in the above statement when I draw a pie chart that gives me A, B, C_Grade. However I want to know all the failed student in the chart as well.
My _raw contains all the events i.e. all three grades and the failed student as well.
The logic to find that is, "If the _raw doesn't contain the string 'FirstClass' or 'SecondClass' or 'ThirdClass' , then whatever remaining in _raw is considered as 'Failed'. How do I implement this logic using case?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-22-2018 07:49 AM

@zacksoft, you can use searchmatch() to find pattern in raw events (ideally you should create field extractions).
As per the question you have case() conditions to match A, B and C grades and everything else is supposed to be considered as Failed. So, you can use true() or 1==1 condition in the case() statement to defined unmatched events as Failed. Please try the following run anywhere search and confirm:

| makeresults 
| eval data="FirstClass;SecondClass;ThirdClass;Others"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| eval usage=case(searchmatch("FirstClass"),"A_Grade",searchmatch("SecondClass"),"B_Grade",searchmatch("ThirdClass"),"C_Grade",true(),"Failed")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-22-2018 07:49 AM

@zacksoft, you can use searchmatch() to find pattern in raw events (ideally you should create field extractions).
As per the question you have case() conditions to match A, B and C grades and everything else is supposed to be considered as Failed. So, you can use true() or 1==1 condition in the case() statement to defined unmatched events as Failed. Please try the following run anywhere search and confirm:

| makeresults 
| eval data="FirstClass;SecondClass;ThirdClass;Others"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| eval usage=case(searchmatch("FirstClass"),"A_Grade",searchmatch("SecondClass"),"B_Grade",searchmatch("ThirdClass"),"C_Grade",true(),"Failed")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

zacksoft
Contributor
‎05-22-2018 08:04 AM

Absolutely brilliant. Thank you very much. The solution you provided does exactly what I wanted.

Reply
Solved! Jump to solution

niketn
Legend
‎05-22-2018 08:07 AM

@zacksoft, glad it worked 🙂 Accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 04:29 AM

Use this:

| eval usage=case(like(_raw,"%FirstClass%"),"A_Grade",like(_raw,"%SecondClass%"),"B_Grade",like(_raw,"%ThirdClass%"),"C_Grade", true(), "failed")

Case will take the first statement that is true, so the true() will be the last-case-fallback and return "failed" for all that did not meet any other criteria before.

Reply
Solved! Jump to solution

zacksoft
Contributor
‎05-22-2018 04:57 AM

Thanks @xpac.
But it only returns me the events that are "failed". It won't return me A_Grade, B_Grade, C_Grade data !

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 07:31 AM

If that's the case, it's an issue with the rest of your query. Eval never filters anything out.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎05-22-2018 07:29 AM

That approach to put a true(),"failed" option at the end of the case statement is perfectly valid though. Can you post the exact code you tested with? Please post it as code (using the 101010 button).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...