Can AND or OR be used in case statements in eval expressions?

Question

Right now I have a search that contains c(eval(status<=400)) AS SUCCESS c(eval(status>400)) AS FAILURE. This works, producing a chart of failures and sucesses. But now I want to change it so it has a WARNING category. This would include only status=404. But to do this I would have to change the FAILURE category to something like, status>400 AND status !=404. But the case statement does not seem to allow this. Can anyone help me with this?

Answer 1

2

Which case statement?

The eval statement supports this. All you have to do is something like this:

... | stats c(eval(status>400 AND status!=404)) AS FAILURE

link

answered 08 May '12, 14:06

Ayn
25.0k●3●7●17
accept rate: 41%

Ayn, This does not work at least with timechart

(09 May '12, 08:30) joegrossman

But it does! I just tried it myself.

(09 May '12, 10:39) Ayn

Answer 2

1	Another approach might be to use a lookup table that has all the various HTTP response codes and the resulting status you wish them to have. You'd have to enumerate them and specify a value for each, but it is workable. link answered 08 May '12, 18:49 dwaddle ♦ 15.4k●2●9●24 accept rate: 33%

Answer 3

1	Or you can do it through `rangemap`... `... \| rangemap field=status SUCCESS=0-399 WARNING=404-404 default=FAILURE` Then you have the information in the newly created field '`range`'. Hope this helps, Kristian link answered 09 May '12, 09:09 kristian.kolb 10.1k●6●15 accept rate: 33%

Answer 4

0

The question was not answered (which seems to be the normal):

So, is:

eval var1 = case(A==0 AND B==1, "ZeroOne", A==1 AND B==0, "OneZero", 1==1, "Neither")

Supposed to be a valid construct?

In my case i can't get it to work. It's either the default branch (1==1) or NULL.

Any hints?

Dirk

link

answered 05 Feb, 08:07

dvl077
11●1
accept rate: 0%

While I can totally appreciate frustration, please remember that most splunk-base participants do not work for Splunk and are answering people's questions on a completely volunteer basis. I don't think your "which seems to be normal" comment is fair to those who do spend a lot of time trying to offer free help on here. Splunk has paid support options available to you if the community is not able to help you solve your problems.

(06 Feb, 08:22) dwaddle ♦

It was just a observation, no critique of the participants was implied.

(06 Feb, 08:33) dvl077

Answer 5

I can get it to work with the following search

sourcetype=access_combined status=404 OR status=200 
| dedup 3 status 
| eval tt=if(time_taken<500, "1", "0") 
| eval var1 = case(status==200 AND tt=1, "A", status==404 AND tt==0, "B", 1>0, "C") 
| table status tt var1

For sake of clarity/completeness, I've included the complete search I used. The first three lines are just for getting event data (based off access_combined) to work on, so they don't have any real purpose besides that.

The results table looks like;

status  tt  var1
404     1   C
200     1   A
404     0   B
200     0   C

Hope this helps,

Kristian

Answer 6

I confirm, the boolean expression in case() works. My problem was the following:

To gather one of the needed values to decide on i did the following:

| eval no-value-supplied = if(isnull(mkfind(msisdn, "no-value-supplied")), 1, 0)

Note that the introduced variable and the constant string in the mkfind are identical.

Interesting is:

if you output the variable, e.g. via "table no-value-supplied" the value binding is correct (1 or 0 in this case).

Using no-value-supplied in a boolean statement inside of case

| eval new_var = case(no-value-supplied == 1 AND ....)

never yields true.

Is this a bug, or did i miss something in the documentation?

Renaming the variable fixed the issue.

Can AND or OR be used in case statements in eval expressions?

Follow this question

Splunk Resources

Related questions