Splunk Search

How can i use a eval expression with a result other then previously defined?

robertspeckmann
Explorer

Hi,

Im currently building a dashboard and one of my search strings is the one below. I currently see the values GPS and NIAS but there is a third kind which is a irregular value. Is it possible to make the string ????? put the irregular value in a value displayed by "Other"

index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | chart count(eval(n="GPS")) AS "GPS", count(eval(n="NIA")) AS "NIAS" , ????????? AS "OVERIG" | transpose

Thank you

Tags (2)
0 Karma
1 Solution

baerts
Path Finder

Hi Robert, I don't know the range of the n variable, but the next line
index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n=“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)|chart count by code | transpose
will show 3 values in the graph, GPS, NIAS or OVERIG

View solution in original post

0 Karma

baerts
Path Finder

Hi Robert, I don't know the range of the n variable, but the next line
index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n=“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)|chart count by code | transpose
will show 3 values in the graph, GPS, NIAS or OVERIG

0 Karma

robertspeckmann
Explorer

Thanks for the quick respons baerts but it won't compile yet

index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n=“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)|chart count by code | transpose

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)'.

0 Karma

baerts
Path Finder

Robert hi, I also got an error when I copied the expression, after I typed it by hand, it worked. I also removed the " and " from OVERIG, NIAS and GPS

0 Karma

robertspeckmann
Explorer

OK so the string would be:

index=tibco TerweeAdapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n=GPS,GPS,n=NIA,NIAS,0=0,OVERIG)|chart count by code | transpose

The result now is:

column
code
count

Before
column row 1
GPS 72
NIAS 12

SO i'm still not getting the proper response 😞

0 Karma

baerts
Path Finder

You need to put the quotes back 😞 I found out (actually i'm testing with index=_internal)

0 Karma

robertspeckmann
Explorer

We're getting there, just a little more. I don't see the value "OVERIG" but i know there are at least 3 results. Why isn't the string showing the 3rd row?

column row 1 row 2
code GPS NIAS
count 534 70

0 Karma

baerts
Path Finder

what does ...eval code=.....|stats count by code show?

0 Karma

robertspeckmann
Explorer

index=tibco TerweeAdapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | chart count by code

code count
GPS 76
NIAS 12

index=tibco TerweeAdapter (GPS OR NIAS)| rex field=_raw "ConversationID=(? .*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | stats count by code

code count
GPS 76
NIAS 12

Same result... still the last variable is missing for some reason

ConversationID=(? .*) is weird btw because its missing the word "bericht" between "<" and ">" which is in my string of course

0 Karma

robertspeckmann
Explorer

I have the solution! Because of the criteria in the front of the string (GPS OR NIAS) it could never find something else as OVERIG... With that one deleted and the 0=0 solution i finally got it:

index=tibco TerweeAdapter | rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | stats count by code

code count
GPS 76
NIAS 12
OVERIG 9

Thanks for the help!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...