Usage of Splunk EVAL Function : CASE

Usage of Splunk EVAL Function : CASE

  •  This function takes pairs of arguments X and Y. 
  •  X arguments are Boolean expressions
  •  When the first X expression is encountered that evaluates to  TRUE, the corresponding Y argument will be returned.
                    Find below the skeleton of the usage of the function “case” with EVAL : 
                       ….. |  eval New_Field=case(X,”Y”,….)
| eval New_Field=case(info=="granted","GRAN",info=="canceled",
| table info,New_Field 
Result :
                              info New_Field
                                                                            granted GRAN
                                                                           completed Nothing
                                                                            canceled CANCEL
Explanation : 
In the above Query, “info” is the existing field name in the “_audit” index.
There are three conditions based on which the query is executed :
1. If “info” field is equal to “granted” , then ‘GRAN
   should be assigned to the New_Field
2. If “info” field is equal to “canceled“, then ‘CANCEL
   should be assigned to the New_Field.
3. If “info” field is neither “granted” nor “canceled
   then “Nothing” should be assigned to the New_field.
   In this case we need to define any true condition
   to match the default condition.
   Ex:-1=1,2=2  or anything.
Now you can effectively utilize “case” function with “eval” command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function : CASE


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.