Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does anyone know of a right way to perform a case match statement with an or condition?

ixixix_spl
Explorer
‎07-16-2018 11:21 AM

I am looking to perform a case match search and have found that this query template attempted to answer how to define a case statement with an or condition on two matches. However, when I have used it within my own search I have found that even though the search executes correctly, the table returns with the "k12" row missing, even though "k1", "k2", and "k3" appear. Anyone know of a right way to perform a case match statement with an or condition, or is there a better method I should be following instead? 

index=abc sourcetype=xyz 
  | eval w=case( match(_raw,"keyword1"), "k1",
                 match(_raw,"keyword2"), "k2",
                 match(_raw,"keyword3"), "k3",
                 match(_raw,"keyword1") OR match(_raw,"keyword2"), "k12") 
  | chart count by w
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-16-2018 11:36 AM

[UPDATED ANSWER]

@ixixix_spl, as stated before, if there are multiple case conditions which evaluate to true then only the first one is executed for each event. So if you are searching for keyword1 OR keyword2, then you can have either (1) k12 or (2) k1 and k2 in the results. If you really want k12 count to also show up you will have to add them yourself to data with something like following:

| makeresults 
| eval data="keyword1,keyword2,keyword3,keyword4,keyword1,keyword2,keyword3" 
| makemv data delim="," 
| mvexpand data 
| rename data as _raw 
| eval w=case(searchmatch("keyword1"), "k1",
    searchmatch("keyword2"), "k2",
    searchmatch("keyword3"), "k3")
| eval w=if(w=="k1" OR w=="k2",mvappend(w,"k12"),w)
| stats count by w

If you have keyword1 AND keyword2 to be matched in the event though then you can have k12 and k1 and k2 identified in the raw events. You can have query like the following:

| makeresults 
| eval data="keyword1,keyword2,keyword3,keyword4,keyword1 keyword2,keyword2,keyword3" 
| makemv data delim="," 
| mvexpand data 
| rename data as _raw 
| eval w=case(searchmatch("keyword1") AND searchmatch("keyword2"), "k12",
    searchmatch("keyword1") AND NOT (searchmatch("keyword2") AND searchmatch("keyword3")), "k1",
    searchmatch("keyword2") AND NOT (searchmatch("keyword1") AND searchmatch("keyword3")), "k2",
    searchmatch("keyword3") AND NOT (searchmatch("keyword1") AND searchmatch("keyword2")), "k3") 
| chart count by w

@ixixix_spl, for each event case() statement will give the first match as the result and will not evaluate subsequent conditions even though they may also be true. So in case K12 has higher priority, you would need to have the same as first condition followed by individual keyword based conditions.

Following is a run anywhere example based on the sample data/query provided.

| makeresults 
| eval data="keyword1,keyword2,keyword3,keyword4,keyword1,keyword2,keyword3"
| makemv data delim=","
| mvexpand data
| rename data as _raw
| eval w=case(searchmatch("keyword1") OR searchmatch("keyword2"), "k12",
              searchmatch("keyword1"), "k1",
              searchmatch("keyword2"), "k2",
              searchmatch("keyword3"), "k3") 
| chart count by w
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-16-2018 11:36 AM

[UPDATED ANSWER]

@ixixix_spl, as stated before, if there are multiple case conditions which evaluate to true then only the first one is executed for each event. So if you are searching for keyword1 OR keyword2, then you can have either (1) k12 or (2) k1 and k2 in the results. If you really want k12 count to also show up you will have to add them yourself to data with something like following:

| makeresults 
| eval data="keyword1,keyword2,keyword3,keyword4,keyword1,keyword2,keyword3" 
| makemv data delim="," 
| mvexpand data 
| rename data as _raw 
| eval w=case(searchmatch("keyword1"), "k1",
    searchmatch("keyword2"), "k2",
    searchmatch("keyword3"), "k3")
| eval w=if(w=="k1" OR w=="k2",mvappend(w,"k12"),w)
| stats count by w

If you have keyword1 AND keyword2 to be matched in the event though then you can have k12 and k1 and k2 identified in the raw events. You can have query like the following:

| makeresults 
| eval data="keyword1,keyword2,keyword3,keyword4,keyword1 keyword2,keyword2,keyword3" 
| makemv data delim="," 
| mvexpand data 
| rename data as _raw 
| eval w=case(searchmatch("keyword1") AND searchmatch("keyword2"), "k12",
    searchmatch("keyword1") AND NOT (searchmatch("keyword2") AND searchmatch("keyword3")), "k1",
    searchmatch("keyword2") AND NOT (searchmatch("keyword1") AND searchmatch("keyword3")), "k2",
    searchmatch("keyword3") AND NOT (searchmatch("keyword1") AND searchmatch("keyword2")), "k3") 
| chart count by w

@ixixix_spl, for each event case() statement will give the first match as the result and will not evaluate subsequent conditions even though they may also be true. So in case K12 has higher priority, you would need to have the same as first condition followed by individual keyword based conditions.

Following is a run anywhere example based on the sample data/query provided.

| makeresults 
| eval data="keyword1,keyword2,keyword3,keyword4,keyword1,keyword2,keyword3"
| makemv data delim=","
| mvexpand data
| rename data as _raw
| eval w=case(searchmatch("keyword1") OR searchmatch("keyword2"), "k12",
              searchmatch("keyword1"), "k1",
              searchmatch("keyword2"), "k2",
              searchmatch("keyword3"), "k3") 
| chart count by w
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

ixixix_spl
Explorer
‎07-17-2018 08:41 AM

Great explanation, thank you very much!

0 Karma
Reply
Solved! Jump to solution

ixixix_spl
Explorer
‎07-16-2018 01:13 PM

I went ahead and ran your solution on my system and only the k12 and k3 rows display. Are you having the same problem or is there something within my search preferences that are causing this error?

what i am seeing is below in the imgur link
https://imgur .com/a/BlUc0m1

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...