Solved: Why is the splunk eval case with special character...

Chandras11 · ‎07-10-2018

Hi everyone,

when I try to use the following command, it always gives in CA_flag as "Other" although lower_Ticket_Desc has a exact maching term. Is there something, which I am not doing correctly here :

| eval lower_Ticket_Desc = lower(TICKET_DESC)| rex field=lower_Ticket_Desc mode=sed "s/ //g"|eval CA_flag = case(lower_Ticket_Desc=="[yes/no]:no" ,"Flag_NO" ,lower_Ticket_Desc=="[yes/no]:yes"  ,"Flag_YES" , 1=1, "Other" )  |

I have removed all blank spaces and converted everything to lower case.

TICKET_DESC example = "asdfjkasdhf [Yes/No]: No dfasjaskl" Or "asdfjkasdhf [Yes/No]:no asdfadsf" or "asdfjkasdhf [Yes/No]: YES asdfadsf"

FrankVl · ‎07-10-2018

That's because your case statement uses == comparison operator, which requires an exact match. While your match string is a substring of the actual field value.

Try the following using like() and adding % signs before and after the match string:

| eval lower_Ticket_Desc = lower(TICKET_DESC) 
| rex field=lower_Ticket_Desc mode=sed "s/ //g" 
| eval CA_flag = case(like(lower_Ticket_Desc,"%[yes/no]:no%") ,"Flag_NO" ,like(lower_Ticket_Desc,"%[yes/no]:yes%") ,"Flag_YES" , 1=1, "Other" )

View solution in original post

niketn · ‎07-10-2018

@Chandras11, please try the following case() statement

| eval CA_flag = case(match(lower_Ticket_Desc,"^\[yes\/no\]:no$") ,"Flag_NO",
                     match(lower_Ticket_Desc,"^\[yes\/no\]:yes$") ,"Flag_YES",
                     1=1, "Other")

Following is a run anywhere search for testing:

| makeresults 
| eval lower_Ticket_Desc="[yes/no]:yes" 
| eval CA_flag = case(match(lower_Ticket_Desc,"^\[yes\/no\]:no$") ,"Flag_NO",
                 match(lower_Ticket_Desc,"^\[yes\/no\]:yes$") ,"Flag_YES",
                 1=1, "Other")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

FrankVl · ‎07-10-2018

I don't think those regular expressions are correct, given that the field values look like this (according to his examples): "asdfjkasdhf [Yes/No]: No dfasjaskl"

If your regex would have been correct, then his original == would also have worked, right?

Just remove the ^ and $ signs and it would work.

FrankVl · ‎07-10-2018

That's because your case statement uses == comparison operator, which requires an exact match. While your match string is a substring of the actual field value.

Try the following using like() and adding % signs before and after the match string:

| eval lower_Ticket_Desc = lower(TICKET_DESC) 
| rex field=lower_Ticket_Desc mode=sed "s/ //g" 
| eval CA_flag = case(like(lower_Ticket_Desc,"%[yes/no]:no%") ,"Flag_NO" ,like(lower_Ticket_Desc,"%[yes/no]:yes%") ,"Flag_YES" , 1=1, "Other" )

niketn · ‎07-10-2018

@FrankVl, nothing new... again you beat me to it. I posted a different approach but too late 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Chandras11 · ‎07-10-2018

@niketnilay : Its always good to have more than one approach:)

Chandras11 · ‎07-10-2018

Thanks Frank.. you reduced one common mistake, which I do regularly 🙂

Why is the splunk eval case with special characters not working?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk