Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rename everything not included in case()

zkenaga
New Member
‎05-23-2017 03:05 PM

I have eval category=case(false(),'category',like('test',"test_11%"),"11tests",like('test',"test_22%"),"22tests",like('test',"test33%"),"33tests",true(),'test') |

How would I say to rename everything else not included in case()?

Thanks.

Tags (1)
0 Karma
Reply

mengler_splunk
Splunk Employee
Splunk Employee
‎09-01-2017 07:34 AM

Just to put the correct answer in writing:

eval category=case(false(),'category',like('test',"test_11%"),"11tests",like('test',"test_22%"),"22tests",like('test',"test33%"),"33tests",1==1,'everything_else')
Reply

dorgra
Path Finder
‎06-16-2017 06:16 PM

I'm a noob to Splunk and very interested in this question. As a programmer, why not nest the Case statement inside an IF statement?

0 Karma
Reply

DalJeanis
Legend
‎06-17-2017 10:53 AM

To amplify what @niketnilay said, wrapping an if around a case statement, in pretty much any language, is redundant. The only place it makes sense is in a few ancient languages where the switch/case/evaluate/whateveritwascalled statement is limited to numeric values and the if is not -- or by extension, where the main switch is based on conditionally jumping instructions due to different values of a single test, and you want the if to represent a different test.

0 Karma
Reply

niketn
Legend
‎06-16-2017 10:01 PM

@dorgra, I think the answer was including true() or 1==1 condition at the end of the case block, to handled everything else:

true(),"EverythingElse"

It is similar to default condition block when all the other conditions are not true.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-23-2017 04:16 PM

Do post what you did as an answer, and mark it as accepted.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-23-2017 03:49 PM

I'm confused - the "everything else" part of case() already is present in your example, the final pair: true(), 'test' yielding the value of the field test if all other tests are false.

What do you mean by rename?

PS: The first pair, false(), 'category', is pointless - false() is never true.

0 Karma
Reply

zkenaga
New Member
‎05-23-2017 04:00 PM

I figured it out after reading what you said more carefully... Thank you again

0 Karma
Reply

zkenaga
New Member
‎05-23-2017 03:52 PM

I apologize if I wasn't descriptive enough. I have 11tests and 22tests grouped together under a common name, what would be a way I could say, "for everything else, call it this"

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...