Eval Description possibly not working due to speci...

kmccowen · ‎07-17-2015

Query:

index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments" 
| chart count by pay_fail_rsn 
| sort count | reverse 
| eval Description = case(pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field",
    pay_fail_rsn  = "CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number", 
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 5 - Invalid transaction type -", "Invalid Transaction Type",
    pay_fail_rsn = "CCNUMBER; CCE05E-INVALID CREDIT CARD NUMBER -","Invalid Credit Card Number",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 3 - Invalid expiration date -","Invalid Expiration Date",
    pay_fail_rsn = "CCC06E-NOT PROCESSED, AUTH REFERRAL -","Not Processed, Auth Referral",
    pay_fail_rsn = "Good response-check reject rsn -","Not Processed, Reason Unknown",
    pay_fail_rsn = "CCEXP_DATE; CCE08E-INVALID EXPIRATION DATE -","Invalid Expiration Date",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - M - General message format problem -","Message Format Problem",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - J - Function unavailable -","Function Unavailable", 
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 6 - [unknown] -", "Not Processed, Reason Unknown", 
    pay_fail_rsn = "CCC09E-CALL 800-247-4976 -", "Call 1-800-247-4976",
    pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required")
| table Description , count

Result:

Description count
Invalid amount field 300
Authorization Declined 243
Invalid Cardholder Number 190
Invalid Transaction Type 44
Invalid Credit Card Number 37
Invalid Expiration Date 21
Not Processed, Auth Referral 6
5
Not Processed, Reason Unknown 5
Invalid Expiration Date 4
Message Format Problem 3
Function Unavailable 2
Not Processed, Reason Unknown 2
Call 1-800-247-4976

Why is only this one failing to EVAL? Is it the brackets? How do I deal with it?

pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required"

lguinn2 · ‎07-17-2015

First, a tip: you can replace this | sort count | reverse with | sort -count. It will be more efficient.

Second, I would probably use a lookup table instead of the long case statement. The table might look like this

pay_fail_rsn,pay_fail_category
"Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field"
"CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined"
"Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number"

Once you set up a lookup based on this table, the search would look like this:

index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments" 
| chart count by pay_fail_rsn 
| sort -count 
| lookup pay_fail_lookup pay_fail_rsn OUTPUT pay_fail_category
| table pay_fail_category count

Finally, to answer your question: I don't know! I don't see a typo in your command. The [] should have no effect. To debug, I suggest that you replace the last two lines of your original search with

    pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required",
    1==1,pay_fail_rsn)
| table Description count

This adds a final category to the case command: any pay_fail_rsn value that does not match the previous categories will be assigned to the Description.

Eval Description possibly not working due to special character in field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!