Solved: Re: How can i use a eval expression with a result ...

robertspeckmann · ‎03-30-2015

Hi,

Im currently building a dashboard and one of my search strings is the one below. I currently see the values GPS and NIAS but there is a third kind which is a irregular value. Is it possible to make the string ????? put the irregular value in a value displayed by "Other"

index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | chart count(eval(n="GPS")) AS "GPS", count(eval(n="NIA")) AS "NIAS" , ????????? AS "OVERIG" | transpose

Thank you

baerts · ‎03-31-2015

Hi Robert, I don't know the range of the n variable, but the next line
index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n=“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)|chart count by code | transpose
will show 3 values in the graph, GPS, NIAS or OVERIG

View solution in original post

baerts · ‎03-31-2015

Hi Robert, I don't know the range of the n variable, but the next line
index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n=“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)|chart count by code | transpose
will show 3 values in the graph, GPS, NIAS or OVERIG

robertspeckmann · ‎03-31-2015

Thanks for the quick respons baerts but it won't compile yet

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)'.

baerts · ‎03-31-2015

Robert hi, I also got an error when I copied the expression, after I typed it by hand, it worked. I also removed the " and " from OVERIG, NIAS and GPS

robertspeckmann · ‎03-31-2015

OK so the string would be:

The result now is:

column
code
count

Before
column row 1
GPS 72
NIAS 12

SO i'm still not getting the proper response 😞

baerts · ‎03-31-2015

You need to put the quotes back 😞 I found out (actually i'm testing with index=_internal)

robertspeckmann · ‎03-31-2015

We're getting there, just a little more. I don't see the value "OVERIG" but i know there are at least 3 results. Why isn't the string showing the 3rd row?

column row 1 row 2
code GPS NIAS
count 534 70

baerts · ‎03-31-2015

what does ...eval code=.....|stats count by code show?

robertspeckmann · ‎03-31-2015

index=tibco TerweeAdapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | chart count by code

code count
GPS 76
NIAS 12

index=tibco TerweeAdapter (GPS OR NIAS)| rex field=_raw "ConversationID=(? .*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | stats count by code

code count
GPS 76
NIAS 12

Same result... still the last variable is missing for some reason

ConversationID=(? .*) is weird btw because its missing the word "bericht" between "<" and ">" which is in my string of course

robertspeckmann · ‎03-31-2015

I have the solution! Because of the criteria in the front of the string (GPS OR NIAS) it could never find something else as OVERIG... With that one deleted and the 0=0 solution i finally got it:

index=tibco TerweeAdapter | rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | stats count by code

code count
GPS 76
NIAS 12
OVERIG 9

Thanks for the help!

How can i use a eval expression with a result other then previously defined?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases