Re: What's wrong with this case statement?

mistydennis · ‎06-20-2022

When I add this case statement to my search, all results for Severity are "Other". What did I miss?

| eval Severity=case(score>=0.1 AND score<=3.9, "Low", score>=4.0 AND score<=6.9, "Medium", score>=7.0 AND score<=8.9, "High", score>=9.0 AND score<=10.0, "Critical", true(), "Other")

mistydennis · ‎06-21-2022

Solved! Thank you to everyone that provided hints - it turns out that the field in question was coming from a lookup, and for some reason I could not successfully apply the case statement in my query. But I opened up the lookup query, added the case statement there, and it worked. I don't understand why this worked, but it did.

marysan · ‎06-21-2022

but I used your query and it worked correctly:

its possible that your score filed is multivalue field like my query:

| makeresults
| eval temp="1 6.7 8 9 9.6 103 454 5 2.3 5.3 1.4"
| eval score=split(temp," ")
| fields - temp,_time
| mvexpand score
| eval Severity=case(score>=0.1 AND score<=3.9, "Low", score>=4.0 AND score<=6.9, "Medium", score>=7.0 AND score<=8.9, "High", score>=9.0 AND score<=10.0, "Critical", true(), "Other")

mistydennis · ‎06-21-2022

Yes, it does seem to work with your query but unfortunately it does not work in mine. I have confirmed the field is not multivalue.

PickleRick · ‎06-20-2022

If your fields which contain "numbers" misbehave it's often the case of the fields being in fact string representations of numbers. Try eval-ing the field before your case to a number using

| eval score=tonumber(score)

Oh, and assuming all your scores are non-negative, you can limit your number of conditions since they are evaluated left to right until a match is found. So if the first condition (0.1 - 3.9) evaluates to false, there is no point of requiring the number to be at least 4.0 in the next step because if it was smaller, it would have matched the first condition.

mistydennis · ‎06-21-2022

Thank you for this - I did verify that the field was a number, but I plugged in your eval anyway. Still doesn't work, though I appreciate the tip about reading from left to right (I didn't know that).

isoutamo · ‎06-20-2022

In verbose mode you can check the type of field from selected/interesting field columns. If before the field name is # => number and if it's a => character. This is the easiest way to see that.

r. Ismo

mistydennis · ‎06-21-2022

That is a good tip - yes, the field is a number.

gcusello · ‎06-20-2022

Hi @mistydennis ,

sometimes I found problems in dots management, so I hint to try this:

| eval Severity=case(score>0 AND score<4, "Low", score>=4 AND score<7, "Medium", score>=7 AND score<9, "High", score>=9 AND score<=10, "Critical", true(), "Other")

Ciao.

Giuseppe

mistydennis · ‎06-21-2022

I tried this as well, no luck. All values are still "Other".

isoutamo · ‎06-21-2022

One way to see what those fields contains is a create a new field like

...
| eval contains=">" . field . "<"
| ...

That way it's not needed to guess what that field contains.

What's wrong with this case statement?

eval

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases