Hi, i try to select on same event with different Values and they give result différent but Splunk find none result. Can you tell me what is wrong on my command ? Thanks
eval Agent= if(isnull(Agent) OR ( Agent=="aaa*", "bbb*") OR (Agent=="ccc*" , "ddd*" ,"reee*")OR (Agent=="*"),Messagerie, AC,MANAGERS,TECHNICIENS )
Thanks :).
I try with your solution but I think it's false again. I am a trainee and I try to do my best. So just bear with me. ( and with my English :))
eval Personnel =case(Agent == null() , "Messagerie", Agent ==("aa*" OR "bb*"), "AC", Agent=="*",TECHNICIENS) |stats count by Personnel
The last Agent is for give the reste of the values
Thanks :).
I try with your solution but I think it's false again. I am a trainee and I try to do my best. So just bear with me. ( and with my English :))
eval Personnel =case(Agent == null() , "Messagerie", Agent ==("aa*" OR "bb*"), "AC", Agent=="*",TECHNICIENS) |stats count by Personnel
The last Agent is for give the reste of the values
Thanks you Somesoni2 !!
Give this a try
eval Personnel =case(isnull(Agent) , "Messagerie", like(Agent,"aa%") OR like(Agent,"bb%"), "AC", 1=1,TECHNICIENS) |stats count by Personnel
So,
If Agent is null
- Personnel=Messagerie
if Agent="aa*"
OR Agent="bb*"
(in search *
is wildcard, for like function in eval , % is wildcard), Personnel=AC
For all other cases, Personnel=TECHNICIENS
Thanks you Somesoni2 !!
(field="value1", "value2")
is not a valid eval
expression. If you're looking for a list of possible values, you will need to spell them out explicitly like this: (field="value1" OR field="value2")
.
Similarly, if()
only takes three arguments - the condition, the then-value, and the else value. If you're trying to test several conditions and yield a different result for each condition, you'll want to use case()
like this: case(condition1, value1, condition2, value2, ...)