Assigning arbitrary values to a variable dependent...

wardallen · ‎02-18-2014

I have a transaction defined where a trade goes through some stages in its lifecycle. Unfortunately, the markers for these stages aren't consistent in their form, eg.

"<$DealId> : The deal has hit stage BOOKED"

"<$DealId> : The deal is EXECUTED"

"<$DealId> : Received CONFIRMATION"

will be found at various times in the transaction.

I have come up with a query, but it keeps throwing errors : "Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). "

Here's the query

DealId="*" | transaction DealId |

eval confirmed=searchmatch("Received CONFIRMATION") |

eval executed=searchmatch("The deal is EXECUTED" AND "DownstreamSystemId" |

eval booked=searchmatch("Deal has hit stage EXECUTED") |

eval status=case(confirmed==true, "CONFIRMED", executed==true, "EXECUTED", booked==true, "BOOKED")

| table DealId, allocQty, price, value, transactTime, status

A completed transaction will have all of these stages, I'm trying to keep track of which stage a particular deal is up to.

It also feels horribly inefficient, is there a better way of writing this query?

somesoni2 · ‎02-18-2014

Try this

DealId="*" | transaction DealId |
eval status=case(searchmatch("Received CONFIRMATION"), "CONFIRMED", searchmatch("\"The deal is EXECUTED\" AND \"DownstreamSystemId\""), "EXECUTED", searchmatch("Deal has hit stage EXECUTED"), "BOOKED")| table DealId, allocQty, price, value, transactTime, status

Assigning arbitrary values to a variable dependent on subsearch

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases