Splunk Search

Eval Description possibly not working due to special character in field

kmccowen
Path Finder

Query:

index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments" 
| chart count by pay_fail_rsn 
| sort count | reverse 
| eval Description = case(pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field",
    pay_fail_rsn  = "CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number", 
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 5 - Invalid transaction type -", "Invalid Transaction Type",
    pay_fail_rsn = "CCNUMBER; CCE05E-INVALID CREDIT CARD NUMBER -","Invalid Credit Card Number",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 3 - Invalid expiration date -","Invalid Expiration Date",
    pay_fail_rsn = "CCC06E-NOT PROCESSED, AUTH REFERRAL -","Not Processed, Auth Referral",
    pay_fail_rsn = "Good response-check reject rsn -","Not Processed, Reason Unknown",
    pay_fail_rsn = "CCEXP_DATE; CCE08E-INVALID EXPIRATION DATE -","Invalid Expiration Date",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - M - General message format problem -","Message Format Problem",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - J - Function unavailable -","Function Unavailable", 
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 6 - [unknown] -", "Not Processed, Reason Unknown", 
    pay_fail_rsn = "CCC09E-CALL 800-247-4976 -", "Call 1-800-247-4976",
    pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required")
| table Description , count

Result:

Description count
Invalid amount field 300
Authorization Declined 243
Invalid Cardholder Number 190
Invalid Transaction Type 44
Invalid Credit Card Number 37
Invalid Expiration Date 21
Not Processed, Auth Referral 6
5
Not Processed, Reason Unknown 5
Invalid Expiration Date 4
Message Format Problem 3
Function Unavailable 2
Not Processed, Reason Unknown 2
Call 1-800-247-4976

Why is only this one failing to EVAL? Is it the brackets? How do I deal with it?

pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required"

Tags (2)
0 Karma

lguinn2
Legend

First, a tip: you can replace this | sort count | reverse with | sort -count. It will be more efficient.

Second, I would probably use a lookup table instead of the long case statement. The table might look like this

pay_fail_rsn,pay_fail_category
"Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field"
"CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined"
"Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number"

Once you set up a lookup based on this table, the search would look like this:

index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments" 
| chart count by pay_fail_rsn 
| sort -count 
| lookup pay_fail_lookup pay_fail_rsn OUTPUT pay_fail_category
| table pay_fail_category count

Finally, to answer your question: I don't know! I don't see a typo in your command. The [] should have no effect. To debug, I suggest that you replace the last two lines of your original search with

    pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required",
    1==1,pay_fail_rsn)
| table Description count

This adds a final category to the case command: any pay_fail_rsn value that does not match the previous categories will be assigned to the Description.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...