Without the quotes, you're asking eval
to compare the value of the field tag
to the value of the field audit
and cleared
, respectively. I'm guessing you'd want quotes around those?
Thanks Ayn
That make sense, about the quotes I mean. So I tried this;
tag=audit OR tag=cleared ""
This search generated events with;
tag::eventtype, value=audit
tag::eventtype, value=cleared
but when I do this;
tag=audit OR tag=cleared "" | stats count by tag
I get zero results. I guess I am confused about tag relationships.
The quotes are only supposed to be around the VALUE, not the field name as well. So tag == "audit"
. Otherwise you're just giving case
a string and don't tell it what to actually do with it.
Oh Sorry i misunderstood the question.
WhenI do this
tag=audit OR tag=cleared "" | eval Event=case( "tag == audit", "Logging Stoped", "tag == cleared", "Logs Cleared" )
I get this error
Error in 'eval' command: The arguments to the 'case' function are invalid
Yes, you're using it without quotes. That is wrong. You just said you got a syntax error with quotes. What was it?
I do not get any errors the search runs as expected and generates events as expected but the eval command does not generate the field named "Event" using the case function.
Yup. So what does it look like in your case? What error are you getting?
I tried with the added quotes and the case function throws a syntax error.
The example on Splunk docs is like this;
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")