- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- eval case statement
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval case statement
Hi,
Am using case statement to sort the fields according to user requirement and not alphabetically.
eval sort_field=case(wd=="SUPPORT",1, wd=="APPLICATION",2, wd=="STORAGE",3)
Works well when i have values for all the 3 rows but when i don't have value for a row then that is not visible . How can i make that visible with 0 values against that row.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whats your full search? Splunk won't show a field in statistics if there is no raw event for it. There are workarounds to it but would need to see your current search to before suggesting anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
...|eval sort_field=case(wd=="SUPPORT",1, wd=="APPLICATION",2, wd=="STORAGE",3,1=1, 0)
add default condition and set it's value to zero.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me, i have the same probleme with this search :
index=index_sqlprod-itrs_toc (severity=2 OR severity=0 OR severity="-1")
| eval ID=Env+"_"+Apps+"_"+Function+"_"+varname
| addinfo
| eval periode=info_max_time-info_min_time
| transaction ID startswith=(severity=2) maxevents=2
| eval start_time=mvindex(timestamp,0), end_time=mvindex(timestamp,1)
| stats sum(duration) AS duration_indispo by Function, periode
| eval Percent_Available = round((periode-duration_indispo)*100/periode,3)
| eval Env = case(
Function like "%OTMS%", "OTMS Alcatel",
Function like "%ASC Recorder%", "Enregistrement Téléphonie",
Function like "%ASC Core%", "ASC Core",
Function like "%OXE WORLDWIDE%", "OXE WORLDWIDE",
Function like "%Proxy%", "Téléphonie Alcatel Mobilité",
Function like "%Environnement Monitor%", "Environnement Monitor",
Function like "%Traps%", "Traps",
Function like "%System Management%", "System Management",
1==1, 100
)
| fillnull value=100.00
|table Env, Percent_Available
Works fine when I have values for all rows of each function, but when I don't have a value for any row then the (function) row is not visible. How can I make this visible with 100 values against this row
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Your case should end with ,1=1, 100) and not 1==1,100
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
