Hi,
I'm using an "eval myvar=case(...)" like the one in the splunk documentation:
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")
If 'case' encounters a value for 'error' that is not identified in the mapping then it converts it to the default string "NULL". Is there some trick I can use to have it simply leave it alone and return the raw value itself?
For example using the above fragment, I'd like to have the pseudo-input of
"404 ; 200 ; 600"
map to
Not Found ; OK ; 600
rather than
Not Found ; OK ; NULL
I understand that 'case' doesn't do this [Splunk guys: enhancement request!], but are there any pre-processing tricks I can use retain the values that 'case' would obscure?
thanks.
Case can definitely provide a default. Have your last pairing evaluate to true, and provide your default. The default value can be the name of a field, as well.
eval foo=case(x>0, "Positive", x<0, "Negative", 1=1, x)
Is there still no else statement? This does not seem like an elegant solution.
Case can definitely provide a default. Have your last pairing evaluate to true, and provide your default. The default value can be the name of a field, as well.
eval foo=case(x>0, "Positive", x<0, "Negative", 1=1, x)
Hi
there was days when there haven’t been true() as function, for that reason 1=1 was a way to do that.
r. Ismo