When I add this case statement to my search, all results for Severity are "Other". What did I miss?
| eval Severity=case(score>=0.1 AND score<=3.9, "Low", score>=4.0 AND score<=6.9, "Medium", score>=7.0 AND score<=8.9, "High", score>=9.0 AND score<=10.0, "Critical", true(), "Other")
Solved! Thank you to everyone that provided hints - it turns out that the field in question was coming from a lookup, and for some reason I could not successfully apply the case statement in my query. But I opened up the lookup query, added the case statement there, and it worked. I don't understand why this worked, but it did.
but I used your query and it worked correctly:
its possible that your score filed is multivalue field like my query:
| makeresults
| eval temp="1 6.7 8 9 9.6 103 454 5 2.3 5.3 1.4"
| eval score=split(temp," ")
| fields - temp,_time
| mvexpand score
| eval Severity=case(score>=0.1 AND score<=3.9, "Low", score>=4.0 AND score<=6.9, "Medium", score>=7.0 AND score<=8.9, "High", score>=9.0 AND score<=10.0, "Critical", true(), "Other")
Yes, it does seem to work with your query but unfortunately it does not work in mine. I have confirmed the field is not multivalue.
If your fields which contain "numbers" misbehave it's often the case of the fields being in fact string representations of numbers. Try eval-ing the field before your case to a number using
| eval score=tonumber(score)
Oh, and assuming all your scores are non-negative, you can limit your number of conditions since they are evaluated left to right until a match is found. So if the first condition (0.1 - 3.9) evaluates to false, there is no point of requiring the number to be at least 4.0 in the next step because if it was smaller, it would have matched the first condition.
Thank you for this - I did verify that the field was a number, but I plugged in your eval anyway. Still doesn't work, though I appreciate the tip about reading from left to right (I didn't know that).
In verbose mode you can check the type of field from selected/interesting field columns. If before the field name is # => number and if it's a => character. This is the easiest way to see that.
r. Ismo
That is a good tip - yes, the field is a number.
Hi @mistydennis ,
sometimes I found problems in dots management, so I hint to try this:
| eval Severity=case(score>0 AND score<4, "Low", score>=4 AND score<7, "Medium", score>=7 AND score<9, "High", score>=9 AND score<=10, "Critical", true(), "Other")
Ciao.
Giuseppe
I tried this as well, no luck. All values are still "Other".
One way to see what those fields contains is a create a new field like
...
| eval contains=">" . field . "<"
| ...
That way it's not needed to guess what that field contains.