Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rename everything not included in case()

zkenaga
New Member
‎05-23-2017 03:05 PM

I have eval category=case(false(),'category',like('test',"test_11%"),"11tests",like('test',"test_22%"),"22tests",like('test',"test33%"),"33tests",true(),'test') |

How would I say to rename everything else not included in case()?

Thanks.

Tags (1)
0 Karma
Reply

mengler_splunk
Splunk Employee
Splunk Employee
‎09-01-2017 07:34 AM

Just to put the correct answer in writing:

eval category=case(false(),'category',like('test',"test_11%"),"11tests",like('test',"test_22%"),"22tests",like('test',"test33%"),"33tests",1==1,'everything_else')
Reply

dorgra
Path Finder
‎06-16-2017 06:16 PM

I'm a noob to Splunk and very interested in this question. As a programmer, why not nest the Case statement inside an IF statement?

0 Karma
Reply

DalJeanis
Legend
‎06-17-2017 10:53 AM

To amplify what @niketnilay said, wrapping an if around a case statement, in pretty much any language, is redundant. The only place it makes sense is in a few ancient languages where the switch/case/evaluate/whateveritwascalled statement is limited to numeric values and the if is not -- or by extension, where the main switch is based on conditionally jumping instructions due to different values of a single test, and you want the if to represent a different test.

0 Karma
Reply

niketn
Legend
‎06-16-2017 10:01 PM

@dorgra, I think the answer was including true() or 1==1 condition at the end of the case block, to handled everything else:

true(),"EverythingElse"

It is similar to default condition block when all the other conditions are not true.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-23-2017 04:16 PM

Do post what you did as an answer, and mark it as accepted.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-23-2017 03:49 PM

I'm confused - the "everything else" part of case() already is present in your example, the final pair: true(), 'test' yielding the value of the field test if all other tests are false.

What do you mean by rename?

PS: The first pair, false(), 'category', is pointless - false() is never true.

0 Karma
Reply

zkenaga
New Member
‎05-23-2017 04:00 PM

I figured it out after reading what you said more carefully... Thank you again

0 Karma
Reply

zkenaga
New Member
‎05-23-2017 03:52 PM

I apologize if I wasn't descriptive enough. I have 11tests and 22tests grouped together under a common name, what would be a way I could say, "for everything else, call it this"

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...