Query:
index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments"
| chart count by pay_fail_rsn
| sort count | reverse
| eval Description = case(pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field",
pay_fail_rsn = "CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined",
pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number",
pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 5 - Invalid transaction type -", "Invalid Transaction Type",
pay_fail_rsn = "CCNUMBER; CCE05E-INVALID CREDIT CARD NUMBER -","Invalid Credit Card Number",
pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 3 - Invalid expiration date -","Invalid Expiration Date",
pay_fail_rsn = "CCC06E-NOT PROCESSED, AUTH REFERRAL -","Not Processed, Auth Referral",
pay_fail_rsn = "Good response-check reject rsn -","Not Processed, Reason Unknown",
pay_fail_rsn = "CCEXP_DATE; CCE08E-INVALID EXPIRATION DATE -","Invalid Expiration Date",
pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - M - General message format problem -","Message Format Problem",
pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - J - Function unavailable -","Function Unavailable",
pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 6 - [unknown] -", "Not Processed, Reason Unknown",
pay_fail_rsn = "CCC09E-CALL 800-247-4976 -", "Call 1-800-247-4976",
pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required")
| table Description , count
Result:
Description count
Invalid amount field 300
Authorization Declined 243
Invalid Cardholder Number 190
Invalid Transaction Type 44
Invalid Credit Card Number 37
Invalid Expiration Date 21
Not Processed, Auth Referral 6
5
Not Processed, Reason Unknown 5
Invalid Expiration Date 4
Message Format Problem 3
Function Unavailable 2
Not Processed, Reason Unknown 2
Call 1-800-247-4976
Why is only this one failing to EVAL? Is it the brackets? How do I deal with it?
pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required"
First, a tip: you can replace this | sort count | reverse
with | sort -count
. It will be more efficient.
Second, I would probably use a lookup table instead of the long case statement. The table might look like this
pay_fail_rsn,pay_fail_category
"Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field"
"CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined"
"Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number"
Once you set up a lookup based on this table, the search would look like this:
index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments"
| chart count by pay_fail_rsn
| sort -count
| lookup pay_fail_lookup pay_fail_rsn OUTPUT pay_fail_category
| table pay_fail_category count
Finally, to answer your question: I don't know! I don't see a typo in your command. The []
should have no effect. To debug, I suggest that you replace the last two lines of your original search with
pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required",
1==1,pay_fail_rsn)
| table Description count
This adds a final category to the case command: any pay_fail_rsn value that does not match the previous categories will be assigned to the Description.