Usage of Splunk EVAL Function : CASE

Usage of Splunk EVAL Function : CASE

  •  This function takes pairs of arguments X and Y. 
  •  X arguments are Boolean expressions
  •  When the first X expression is encountered that evaluates to  TRUE, the corresponding Y argument will be returned.
 
                    Find below the skeleton of the usage of the function “case” with EVAL : 
 
                       ….. |  eval New_Field=case(X,”Y”,….)
 
 
 
index="_audit"
| eval New_Field=case(info=="granted","GRAN",info=="canceled",
"CANCEL",1=1,"Nothing")
| table info,New_Field 
 
Result :
 
                              info New_Field
                                                                            granted GRAN
                                                                           completed Nothing
                                                                            canceled CANCEL
 
 
Explanation : 
 
In the above Query, “info” is the existing field name in the “_audit” index.
 
There are three conditions based on which the query is executed :
 
1. If “info” field is equal to “granted” , then ‘GRAN
   should be assigned to the New_Field
2. If “info” field is equal to “canceled“, then ‘CANCEL
   should be assigned to the New_Field.
3. If “info” field is neither “granted” nor “canceled
   then “Nothing” should be assigned to the New_field.
   In this case we need to define any true condition
   to match the default condition.
   Ex:-1=1,2=2  or anything.
 
Now you can effectively utilize “case” function with “eval” command to meet your requirement !!
 
 

Hope you are now comfortable in : Usage of Splunk EVAL Function : CASE

HAPPY SPLUNKING !!
 
 
 
Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.