Eval Description possibly not working due to speci...

kmccowen · ‎07-17-2015

Query:

index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments" 
| chart count by pay_fail_rsn 
| sort count | reverse 
| eval Description = case(pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field",
    pay_fail_rsn  = "CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number", 
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 5 - Invalid transaction type -", "Invalid Transaction Type",
    pay_fail_rsn = "CCNUMBER; CCE05E-INVALID CREDIT CARD NUMBER -","Invalid Credit Card Number",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 3 - Invalid expiration date -","Invalid Expiration Date",
    pay_fail_rsn = "CCC06E-NOT PROCESSED, AUTH REFERRAL -","Not Processed, Auth Referral",
    pay_fail_rsn = "Good response-check reject rsn -","Not Processed, Reason Unknown",
    pay_fail_rsn = "CCEXP_DATE; CCE08E-INVALID EXPIRATION DATE -","Invalid Expiration Date",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - M - General message format problem -","Message Format Problem",
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - J - Function unavailable -","Function Unavailable", 
    pay_fail_rsn = "Good response-check reject rsn - Rejected Reason - 6 - [unknown] -", "Not Processed, Reason Unknown", 
    pay_fail_rsn = "CCC09E-CALL 800-247-4976 -", "Call 1-800-247-4976",
    pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required")
| table Description , count

Result:

Description count
Invalid amount field 300
Authorization Declined 243
Invalid Cardholder Number 190
Invalid Transaction Type 44
Invalid Credit Card Number 37
Invalid Expiration Date 21
Not Processed, Auth Referral 6
5
Not Processed, Reason Unknown 5
Invalid Expiration Date 4
Message Format Problem 3
Function Unavailable 2
Not Processed, Reason Unknown 2
Call 1-800-247-4976

Why is only this one failing to EVAL? Is it the brackets? How do I deal with it?

pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required"

lguinn2 · ‎07-17-2015

First, a tip: you can replace this | sort count | reverse with | sort -count. It will be more efficient.

Second, I would probably use a lookup table instead of the long case statement. The table might look like this

pay_fail_rsn,pay_fail_category
"Good response-check reject rsn - Rejected Reason - 7 - Invalid amount field -","Invalid amount field"
"CCC03E-AUTHORIZATION DECLINED -", "Authorization Declined"
"Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number -", "Invalid Cardholder Number"

Once you set up a lookup based on this table, the search would look like this:

index=ctap host=sc58* sourcetype=gateway "PAYMENT REQUEST FAILED" pay_type="PAYMENT REQUEST FAILED - CC payments" 
| chart count by pay_fail_rsn 
| sort -count 
| lookup pay_fail_lookup pay_fail_rsn OUTPUT pay_fail_category
| table pay_fail_category count

Finally, to answer your question: I don't know! I don't see a typo in your command. The [] should have no effect. To debug, I suggest that you replace the last two lines of your original search with

    pay_fail_rsn = "[EBS] Invalid request - Amount. Is Required -","Amount Required",
    1==1,pay_fail_rsn)
| table Description count

This adds a final category to the case command: any pay_fail_rsn value that does not match the previous categories will be assigned to the Description.

Eval Description possibly not working due to special character in field

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...