Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I create an eval expression for a data model?

danesh_shah
New Member
‎10-24-2018 07:13 AM

i have an expression which i am trying to use for a calculated field, and it is within a data model for web requests.

the expression is based on HTTP codes with conditions 

 (if(status='200', "OKAY"), 
 (if(status>='400', "CLIENT ERROR"), 
 (if(status>='500', "SERVER ERROR"), 
 (if(status>='600', "OTHER"))))

does not seem to work..

0 Karma
Reply

niketn
Legend
‎10-24-2018 12:32 PM

@danesh_shah, please try the following run anywhere example. It builds the HTTP Description based on http_status_code provided on Wikipedia: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

| makeresults
| eval http_status_code="101,204,200,302,404,502,600"
| makemv http_status_code delim=","
| mvexpand http_status_code
| eval http_status_description=case(match(http_status_code,"^1\d{2}$"),"Informational",
    match(http_status_code,"^2\d{2}$"),"Success",
    match(http_status_code,"^3\d{2}$"),"Redirection",
    match(http_status_code,"^4\d{2}$"),"Client Error",
    match(http_status_code,"^5\d{2}$"),"Server Error",
    true(),"Unknown")
| table http_status_code http_status_description
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

danesh_shah
New Member
‎10-24-2018 07:15 AM

also tried
(case(status>=200,"okay",
status>=400,"client error",
status>=500,"server error",
status>600,"other"))

0 Karma
Reply

MikaJustasACN
Path Finder
‎10-24-2018 07:32 AM

just a question, why is there () covering the whole statement? Additionally, what you want to check would be whether those numbers are actually numerical values or not.

0 Karma
Reply

danesh_shah
New Member
‎10-24-2018 07:38 AM

i imagined the whole statement would require to be enclosed in brackets, however i have tried without and it still did not resolve.

those numbers are numerical as the first line where it says case(status=200, "OKAY"
the preview tab reports shows this conversion but the remaining 3 conditions do not seem to resolve the search report for all field values only state to be "OKAY" even if the status code is 400...

0 Karma
Reply

MikaJustasACN
Path Finder
‎10-24-2018 07:44 AM

thats only using case, correct? The problem is how case sees it, as soon as it hits first match it stops evaluating. so your status>=200 always correct thus always shows okay and nothing else.

0 Karma
Reply

danesh_shah
New Member
‎10-24-2018 07:52 AM

Thats correct using case only the first line is resolving.

when tried to use IF the expression kept failing completely although making the correct adjustments for the IF statement.

which was

if(status=200, "OKAY",
status>=400, "CLIENT ERROR",
status>=500, "SERVER ERROR",
status>=600, "OTHER")

0 Karma
Reply

MikaJustasACN
Path Finder
‎10-24-2018 07:56 AM

Try this

case(status>=600,"other",
status>=500,"server error",
status>=400,"client error",
status>=200,"okay")

never using IF, but again, make sure you use boolean expressions (==, >=,<=) and not assignment (=). Also make sure there is last condition in an IF if nothing matches. Not sure if Splunk enforces it.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...