Solved: Re: case: defaulting to "value" rather than NULL

zza2009 · ‎03-27-2012

Hi,
I'm using an "eval myvar=case(...)" like the one in the splunk documentation:

... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

If 'case' encounters a value for 'error' that is not identified in the mapping then it converts it to the default string "NULL". Is there some trick I can use to have it simply leave it alone and return the raw value itself?

For example using the above fragment, I'd like to have the pseudo-input of

  "404 ; 200 ; 600"

map to

  Not Found ; OK ; 600

rather than

  Not Found ; OK ; NULL

I understand that 'case' doesn't do this [Splunk guys: enhancement request!], but are there any pre-processing tricks I can use retain the values that 'case' would obscure?

thanks.

sowings · ‎03-27-2012

Case can definitely provide a default. Have your last pairing evaluate to true, and provide your default. The default value can be the name of a field, as well.

eval foo=case(x>0, "Positive", x<0, "Negative", 1=1, x)

View solution in original post

alexandrerichar · ‎05-20-2020

Is there still no else statement? This does not seem like an elegant solution.

sowings · ‎03-27-2012

Case can definitely provide a default. Have your last pairing evaluate to true, and provide your default. The default value can be the name of a field, as well.

eval foo=case(x>0, "Positive", x<0, "Negative", 1=1, x)

pm771 · ‎08-11-2020

@sowings ,

Just wonder why you used 1=1 and not true().

Is one approach better than another?

isoutamo · ‎08-12-2020

Hi

there was days when there haven’t been true() as function, for that reason 1=1 was a way to do that.

r. Ismo

case: defaulting to "value" rather than NULL

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?