Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

case function -- why can't I operate on the results of a case function?

pgiffd
New Member
‎06-23-2017 02:35 PM

case function -- why can't I operate on the results of a case function? After the eval case function, I got 100 rows. I want to eliminate 30 of them using a standard where clause. (ex. where fieldA = "X" should remove all rows where fieldA = "Y".) All the rows remain. How can I exclude rows? I need to execute 5 cases, and then at the end I want to remove what wasn't found in any of them.

Tags (2)
0 Karma
Reply

acharlieh
Influencer
‎06-23-2017 03:24 PM

This was getting long for a comment...

(ex. where fieldA = "X" should remove all rows where fieldA = "Y".)

This is not actually correct... unset/null fields, and multivalued fields make this logic a bit more complex. |where fieldA="X" keeps all rows where a value of the field is X... some of those rows could have fieldA="Y" as well.

I'm going to use this runanywhere query for an example base query: 

| makeresults count=12 | streamstats count | eval fieldA=case(count%4=1,"X",count%4=2,"Y",count%4=3,split("X,Y",","))

We have 3 rows (1,5,9) where fieldA="X", 3 rows (2,6,10) where fieldA="Y", 3 rows (3,7,11) where fieldA is both, and 3 rows (4,8,12) where fieldA is null.

<basesearch> | where fieldA="X"

actually gives 6 rows (1,5,9, and 3,7,11), on half of these, fieldA="Y" 

<basesearch> | where NOT fieldA="Y"

which gives you 6 rows (1,5,9 and 4,8,12)... on the latter 3 now, fieldA doesn't exist, so fieldA="Y" is false 

<basesearch> | where fieldA!="Y"

which gives you only 3 rows (1,5,9) (or where fieldA equals a value that isn't Y)

<basesearch> | where isnull(fieldA)

which gives you only the 3 rows (4,8,12) where fieldA isn't any value at all

This should also show that using eval with case to generate a field and then filter on it with where is indeed possible, and the last one might be what you're looking for, but as @pyro_wood mentions to solve your particular case we likely need more specific information.

Reply

DalJeanis
Legend
‎06-23-2017 04:31 PM

@charlieh gave you a great answer and a demo why.

Just in case you need to understand what to do about it, here's one way...

| eval mynewfield=case(firsttest=1,"pass1",  secondtest="whatever","pass2",   .... lasttest="ok","lastpass",   true(),null()   )
| where isnotnull(mynewfield)
0 Karma
Reply

horsefez
Motivator
‎06-23-2017 02:45 PM

Hi,

it's not very clear what you are trying to do, or whats the actual problem.
Please post your query and some sample events.
Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...