Here is my attempt to create a new field eval in datamodels (no results):
Here is the same data, just not using the datamodel:
If you change the datamodel field to case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, action)
what do you get?
an error message:
Error in 'eval' command: The arguments to the 'case' function are invalid.
oops. I corrected my answer.
while this did get me closer, in that it provided both the Success & Failure, it unfortunately gave all the other actions too, which is exactly what I'm attempting to avoid.
Values Count %
Decrypt 143864 82.951
Encrypt 27243 15.708
VPN Routing 2082 1.200
Key Install 186 0.107
Drop 23 0.013
Reject 18 0.010
Success 12 0.007
Log Out 3 0.002
Allow 1 0.001
Any idea why putting essentially a true clause at the end makes the Success & Failure case work? Any way to get this to work without obtaining all the other action results?
The idea behind the default clause is to determine if the other expressions are working. Your results make me think they are not since everything appears to falling into the last category. A better way to verify this is with case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, "unknown - " . action)
.
It did create the "Success" & "Failure".
If I run your new query, this is the results:
Values Count %
unknown - Decrypt 118137 79.418
unknown - Encrypt 28543 19.188
unknown - VPN Routing 1859 1.250
unknown - Key Install 80 0.054
unknown - Reject 74 0.050
unknown - Drop 31 0.021
Success 24 0.016
unknown - Log Out 6 0.004
(I searched separately and there weren't any failed log ins during this time period)
So it appears as though your original SPL should have worked. I can't explain why you get results with a default clause and not without it.