- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the limit on the number of branches in a s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the limit on the number of branches in a single CASE statement in Splunk, and how can I optimize my current eval case statement?
Hello,
I have defined api_names and calculating counts and sigma limits for alert based on uri stem.
Example uri stem: /api/v1/customer/details/customernumber/12345
I can't use regex here (or I am not that skilled). I've created this:
| eval cs_uri_stem=lower(cs_uri_stem)
| rex field=cs_uri_stem "/api/v\d/(?<api_name>\w+[a-z-]\w+).*"
However, it will parse out api name only till the first slash /, so I'll match customer. However, I do not match customer/details/customernumber as they follow between additional slashes.
Due to this limitation, I've created big case statement with 122 x 2 branches.
| eval api_name = case(
like(cs_uri_stem,"/api/v%/customers/%"),"customers", like(cs_uri_stem,"/api/v%/customers%"),"customers",
like(cs_uri_stem,"/api/v%/customer-groups/%"),"customer-groups", like(cs_uri_stem,"/api/v%/customer-groups%"),"customer-groups",
like(cs_uri_stem,"/api/v%/customer-bases/%"),"customer-bases", like(cs_uri_stem,"/api/v%/customer-bases%"),"customer-bases",
like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list/%"),"customer/shippingaddresses/list", like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list%"),"customer/shippingaddresses/list",
like(cs_uri_stem,"/api/v%/customer/search/%"),"customer/search", like(cs_uri_stem,"/api/v%/customer/search%"),"customer/search",
like(cs_uri_stem,"/api/v%/customer/details/customernumber/%"),"customer/details/customernumber", like(cs_uri_stem,"/api/v%/customer/details/customernumber%"),"customer/details/customernumber",
like(cs_uri_stem,"/api/v%/customer/%"),"customer", like(cs_uri_stem,"/api/v%/customer%"),"customer",
1=1,"OTHER")
Now questions:
1. What is the SPLUNK limitation on the number of branches in a single CASE statement?
2. What is impact of running such big case statement?
3. I assume that SPLUNK case statement is working in same manner as in SQL, so I've organized patterns in descending order to match first customer/details/customernumber and customer only on the rest. Am I correct?
4. Is there any opportunity to optimize this case statement?
5. Is there any alternative? (already thinking about leveraging rex and do it in multiple levels like customer = api_name_L1, details = api_name_L2, customernumnber = api_name_L3
I'll appreciate any help/comments here.
Thank you!
m.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this regex to extract path till last slash. This might eliminate the need to have a complex case statement.
v\d+(?<path>[\w\/]+)\/
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
