The following is the search in my Splunk. Now I am just trying to understand the structure and that condition means could anyone please explain the below?
my search | eval risk_rating=case('tag::eventtype'="Black","Black", 'tag::eventtype'="White","White", 'tag::eventtype'="Red","Red", 1==1, "Yellow")
For each event/row, it creates a new field named risk_rating
whose value is set depending on the value of another field, in this case the tag::eventtype
. If the value is defined, it copies it as-is, if it is undefined, it sets the value to "Yellow". Because 3 values are blind copying plus a default, the developer should have used coalesce
instead of case
, like this:
... | eval risk_rating=coalesce(tag::eventtype, "Yellow")
Also, the best way to end the last test in a case
statement (the default) is to use true()
, instead of 1==1
.
@pavanae - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
For each event/row, it creates a new field named risk_rating
whose value is set depending on the value of another field, in this case the tag::eventtype
. If the value is defined, it copies it as-is, if it is undefined, it sets the value to "Yellow". Because 3 values are blind copying plus a default, the developer should have used coalesce
instead of case
, like this:
... | eval risk_rating=coalesce(tag::eventtype, "Yellow")
Also, the best way to end the last test in a case
statement (the default) is to use true()
, instead of 1==1
.
case is like switch statement to set the value of risk_rating...
tag::eventytpe=="Black" then set risk_rating as Black
Similarly for White and Red
1==1 is like the default case which sets everything else to Yellow.
Similar result can be achieved with cascaded if in Splunk, however it gets confusing with more conditions being checked.
On the quick overlook, if your base search return events which matches the tag defined for eventtype, the name of eventtype of the event is set in the risk_rating. If an event doesn't have a tag defined, the risk_rating is set to a default value of "Yellow".
A good explanation of tag and eventtype is available here
https://answers.splunk.com/answers/238355/what-are-the-definitions-of-tag-and-eventtype-and.html