Hi ALL,
I wrote the below query
index=noact host=loss0* sourcetype=pro-e
(
path="/desktop/account/" OR
path="/desktop/PerItemNumber" OR
path="/desktop/organization/groups" OR
path="/desktop/organization/groups/*"
)
| eval URL=
case
(
match(path,"\/desktop\/account"),"/desktop/account",
match(path,"\/desktop\/PerItemNumber"),"/desktop/PerItemNumber",
match(path,"\/desktop\/organization\/groups"),"/desktop/organization/groups",
match(path,"\/desktop\/organization\/groups\/.*"),"/desktop/organization/groups/*"
)
But when i am running it only the desktop/account value is being populated in URL ( NEW FIELD ) .Not sure why while rest url's also have values but they are not coming .
Because of the way match
works, the fourth case construct is never going to execute, and you don't need it anyway. I agree with @niketnilay that your code should work fine if the events exist.
index=noact host=loss0* sourcetype=pro-e
( path="/desktop/account/" OR
path="/desktop/PerItemNumber" OR
path="/desktop/organization/groups*"
)
| eval URL= case ( match(path,"\/desktop\/account"), "/desktop/account",
match(path,"\/desktop\/PerItemNumber"), "/desktop/PerItemNumber",
match(path,"\/desktop\/organization\/groups"), "/desktop/organization/groups"
)
"Because of the way match works" - I didnt understood what you mean by this ? Why the fourth case will never execute ??
I have taken below example in which both the requests are different , they server diff purpose and i want then separately
index=noact host=loss0* sourcetype=pro-e
(
path="/desktop/organization/groups"
path="/desktop/organization/groups/*"
)
| eval URL= case (
match(path,"\/desktop\/organization\/groups"), "/desktop/organization/groups",
match(path,"\/desktop\/organization\/groups/.*"), "/desktop/organization/groups/*"
)
But i observed that when i execute this , splunk throws the second URL (/desktop/organization/groups/*)
in the new field 'URL' as /desktop/organization/groups ...and thats why i am not getting other values
and i think this is what you are refering to ..am i right?
Why this behavior ??
When i swapped the position of URLs in case command , then i am getting both the URL's as expected .....:) Why this thing i am not understanding ?
As match compares the URL with the regex i give it to and it should populate the values in the field which i give then why it act like that?? Please clarify this
[UPDATED ANSWER]
@shabdadev, sorry I had missed .*
in my search.
Match finds a regular expression pattern in the string being searched. So the substring in 3rd condition, i.e. "\/desktop\/organization\/groups"
, will always be true even if you have more content in your path after groups
. Hence the final case block will never be hit. If this is clear you do not need a separate case for groups/.*
as @DalJeanis has suggested.
In case you want exact match for groups url and partial match for groups url to be categorized differently you can try the following case block:
| makeresults
| eval path= "/desktop/account/,/desktop/PerItemNumber,/desktop/organization/groups,/desktop/organization/groups/.*"
| makemv path delim=","
| mvexpand path
| eval URL= case (match(path,"/desktop/account"),"/desktop/account",
match(path,"/desktop/PerItemNumber"),"/desktop/PerItemNumber",
(path="/desktop/organization/groups"),"/desktop/organization/groups",
match(path,"/desktop/organization/groups/.*"),"/desktop/organization/groups/.*")
| table path URL
PS: As you can see in 3rd condition I am comparing exact url and 4th I am using match()
pattern.
It should work as expected. Can you please post some sample Data?
Following is a run anywhere search with pipes until mvexpand command to generate paths for four groups you have. I have used similar case()
and match()
methods as yours (only modification is backslash need not be escaped)
| makeresults
| eval path= "/desktop/account/,
/desktop/PerItemNumber,
/desktop/organization/groups,
/desktop/organization/groups/*"
| makemv path delim=","
| mvexpand path
| eval URL= case (match(path,"/desktop/account"),"/desktop/account",
match(path,"/desktop/PerItemNumber"),"/desktop/PerItemNumber",
match(path,"/desktop/organization/groups"),"/desktop/organization/groups",
match(path,"/desktop/organization/groups/.*"),"/desktop/organization/groups/*")
| table path URL
I am able to see four groups of URL as per the path.