Splunk Search

How to create a case statement with NOT LIKE option?

zacksoft
Contributor
| eval usage=case(like(_raw,"%FirstClass%"),"A_Grade",like(_raw,"%SecondClass%"),"B_Grade",like(_raw,"%ThirdClass%"),"C_Grade")

My question is, in the above statement when I draw a pie chart that gives me A, B, C_Grade. However I want to know all the failed student in the chart as well.
My _raw contains all the events i.e. all three grades and the failed student as well.
The logic to find that is, "If the _raw doesn't contain the string 'FirstClass' or 'SecondClass' or 'ThirdClass' , then whatever remaining in _raw is considered as 'Failed'. How do I implement this logic using case?

0 Karma
1 Solution

niketn
Legend

@zacksoft, you can use searchmatch() to find pattern in raw events (ideally you should create field extractions).
As per the question you have case() conditions to match A, B and C grades and everything else is supposed to be considered as Failed. So, you can use true() or 1==1 condition in the case() statement to defined unmatched events as Failed. Please try the following run anywhere search and confirm:

| makeresults 
| eval data="FirstClass;SecondClass;ThirdClass;Others"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| eval usage=case(searchmatch("FirstClass"),"A_Grade",searchmatch("SecondClass"),"B_Grade",searchmatch("ThirdClass"),"C_Grade",true(),"Failed")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@zacksoft, you can use searchmatch() to find pattern in raw events (ideally you should create field extractions).
As per the question you have case() conditions to match A, B and C grades and everything else is supposed to be considered as Failed. So, you can use true() or 1==1 condition in the case() statement to defined unmatched events as Failed. Please try the following run anywhere search and confirm:

| makeresults 
| eval data="FirstClass;SecondClass;ThirdClass;Others"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| eval usage=case(searchmatch("FirstClass"),"A_Grade",searchmatch("SecondClass"),"B_Grade",searchmatch("ThirdClass"),"C_Grade",true(),"Failed")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

zacksoft
Contributor

Absolutely brilliant. Thank you very much. The solution you provided does exactly what I wanted.

niketn
Legend

@zacksoft, glad it worked 🙂 Accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

xpac
SplunkTrust
SplunkTrust

Use this:

| eval usage=case(like(_raw,"%FirstClass%"),"A_Grade",like(_raw,"%SecondClass%"),"B_Grade",like(_raw,"%ThirdClass%"),"C_Grade", true(), "failed")

Case will take the first statement that is true, so the true() will be the last-case-fallback and return "failed" for all that did not meet any other criteria before.

zacksoft
Contributor

Thanks @xpac.
But it only returns me the events that are "failed". It won't return me A_Grade, B_Grade, C_Grade data !

0 Karma

xpac
SplunkTrust
SplunkTrust

If that's the case, it's an issue with the rest of your query. Eval never filters anything out.

0 Karma

FrankVl
Ultra Champion

That approach to put a true(),"failed" option at the end of the case statement is perfectly valid though. Can you post the exact code you tested with? Please post it as code (using the 101010 button).

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...