Splunk Search

Are there any limitations using on using the _raw field in an eval case statement?

sgundeti
Path Finder

Hi,

I was trying to construct an eval case statement using default _raw field and observed strange results. Here is my search:

base search 
| eval status=case(_raw LIKE "%login to mobile app%" AND match(_raw ,"userID:A*"),"A users login",
_raw LIKE "%login to mobile app%" AND match(_raw ,"userID:B*"),"B users login",
_raw LIKE "%login to mobile app%" AND match(_raw ,"userID:C*"),"C users login",
0==0,"others" )
| chart count by date_month,status

Each time I run my search with above syntax, Splunk gives me different count. Results are skewed completely.

If I add | eval raw=_raw and use "raw" field in the case statement, it gives correct results, no matter how many times I run it.

So is there any limitation for using default _raw field in a case statement?

NOTE : I can achieve desired results in more simple way, but my question is specific to above syntax.

0 Karma
1 Solution

sgundeti
Path Finder

looks like I found the answer for my issue. As I suspected its not the issue with _raw field rather It is verbose search mode. When I use smart mode results are consistent but not with verbose mode. And strangely results are not matching with different search mode. ie, verbose and smart mode results are not matching.

I have asked Splunk support about strange behavior of search modes, they are investigating. This Seems to be bug as per [https://answers.splunk.com/answers/343834/why-am-i-getting-three-different-results-running-a.html] but splunk haven't confirmed me yet.

I am using 6.3.2.

I will keep posted once I hear from Splunk support.

Since I got an answer to my original question. I am marking this as answered.

View solution in original post

0 Karma

sgundeti
Path Finder

looks like I found the answer for my issue. As I suspected its not the issue with _raw field rather It is verbose search mode. When I use smart mode results are consistent but not with verbose mode. And strangely results are not matching with different search mode. ie, verbose and smart mode results are not matching.

I have asked Splunk support about strange behavior of search modes, they are investigating. This Seems to be bug as per [https://answers.splunk.com/answers/343834/why-am-i-getting-three-different-results-running-a.html] but splunk haven't confirmed me yet.

I am using 6.3.2.

I will keep posted once I hear from Splunk support.

Since I got an answer to my original question. I am marking this as answered.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This probably doesn't matter for your main question, but still: Keep in mind that match() treats the second argument as a regular expression, so match(field, "userID=B*") would match if field contained "userID=", "userID=B", "userID=BB", and so on. Additionally, you switch between userID= and userID: and you include B* twice.

Another recommendation, don't rely on date_month. Instead, use bin span=1mon _time | chart count by _time, status. Depending on how your timestamp was extracted, date_foo fields aren't always present.

More on topic, to narrow down the problem you should simplify your case() statement. Is it the LIKE? Is it the match()? Does the issue only appear when both are used?

sgundeti
Path Finder

sorry it was typo, there is no "userID=" and B* is only once. see query now.

yes I am aware that match treats as regex.this is not my exact query I tried to clone my problem with simple syntax here. thanks for your recommendation.

based on my observation I don't think issue is with LIKE or match() or both because like I said results are not varying when I assign _raw to any field and use that in case statement. seems like issue is only when I use _raw. hence I wanted to know if anyone have faced similar issue while using _raw field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...