- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Eval Case Formula
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Struggling to complete an Eval Case syntax. I want to create a situation where I have a new field called provider based on certain criteria.
Provider:
XYZ (if D1_Code equals X and current team does not equal ABC or DEF)
ABC (if current team equals ABC) - wildcards needed as there are variants of ABC
DEF (if current team equals DEF) - wildcards needed as there are variants of DEF
Search string is | eval Provider=case(D1_Code="X" AND Current_Team!="ABC" AND Current_Team!="DEF", "XYZ", Current_Team="ABC", "ABC", Current_Team="DEF", "DEF")
The first part of the eval works on it's own but when I try and add criteria for ABC and DEF it will not work.
Provider=case(D1_Code="X" AND Current_Team!="ABC" AND Current_Team!="DEF")
Could anyone please advice? Not sure if case is the right thing to use here.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works for me: | makeresults | eval D1_Code="X", Current_Team="DEF" | eval Provider=case( (D1_Code="X" AND Current_Team!="ABC" AND Current_Team!="DEF"), "XYZ", Current_Team="ABC", "ABC", Current_Team="DEF", "DEF")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about you change the order, like this...
....| eval Provider=case(Current_Team="ABC", "ABC", Current_Team="DEF", "DEF",D1_Code="X", "XYZ")
Also, if you want to match with wildcards (you need to provide actual sample values for better suggestions), try this
....| eval Provider=case(match(Current_Team,"ABC"), "ABC", match(Current_Team,"DEF"), "DEF",D1_Code="X", "XYZ")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brilliant - this solved the issue!
Many thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
converted to answer, if it worked for you, please accept it and mark as answered
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
