Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use "case" command with count?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use "case" command with count?
I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down.
so far I have:
index=index sourcetype=sourcetype log_type=type hostname=host
| eval logs=case(count>0, "1", count=0, "2")
| eval Status=case(Logs=1, "Green", Logs=2, "Red")
I believe there is an error in the case line with the count. I have to be missing something.
any insight would be helpful!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is it that you are trying to achieve (because you have tagged timechart and stats for example, but are not doing any stats based on time)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ajmach343
You need to perform an aggregation using stats count before you can use the count field in an eval statement. The count field is generated by aggregation commands, not available directly during the eval processing of individual events.
index=index sourcetype=sourcetype log_type=type hostname=host | stats count | eval Status=case(count > 0, "Green", count == 0, "Red")
The stats count command counts the number of events matching your initial search criteria for the specified host within the selected time range. The result is a single row containing the count field. Then, the eval command uses the case function to check the value of this count field and assign "Green" or "Red" to the Status field accordingly
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for that bit!
this is the rest of what I have come up with:
index=index sourcetype=sourcetype log_type=type host=host
| stats count
| eval Logs=case(count>0, "Green", count=0, "Red")
| eval pulse="pulse"
| fillnull logs
| fillnull value=green Logs
| table Logs pulse
This will be in a "studio dashboard"
|
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apart from what's already beem said, you're using the case() function where a simple if() would suffice. case() is good when you want to handle separate disjoint cases and still it's good to have a fallback case at the end. Since the conditions in case() are evaluated left to right and the first matching case is used, typical use for case is something like that:
| eval field=(conditions1, value1, conditions2, value2,... , always_true, fallback_value)
Per convention the always_true condition is usually 1=1 (this one is indeed always true).
Without that fallback condition you might end up with the field not filled with any value if no conditions match your data.
What's important with case() is that the conditions are evaluated from left to right so it can be used to narrow the scope of comparisons if used correctly. For example
| eval result=case(x<0,"negative x", y>0, "non-negative x, positive y", 1=1, "non-negative x, non-positive y")
As you can see, subsequent conditions do not reference x field at all because the first comparison already handled all negative x-es and there is no chance we'd get to those cases with negative x.
But circling back to your search - unless you can have another value not handled by the case() (which you then should add to the conditions), it's sufficient to use a simple if() function. It might be a tiny bit faster since it only handles one simple boolean test and assigns the value based on whether the result is true or false. And you're guaranteed to have a value as a result because the condition can only evaluate to true or false. Whether this value is the correct one is a completely different story 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have made a number of errors with your field naming - you are mixing Logs and logs - to Splunk these are different fields, so in your first example you do
| eval logs=case(count>0, "1", count=0, "2")
| eval Status=case(Logs=1, "Green", Logs=2, "Red")where you are testing Logs in the second statement, but set logs in the first and in your latest post you do
| fillnull logswhich will create a lower case logs field with a value of 0, which you then immediately follow with a fillnull for Logs.
So, take care with field names.
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Splunk App Dev Community Updates – What’s New and What’s Next
The Latest Cisco Integrations With Splunk Platform!
