TechQA.

what do when we get a error in Splunk eval command

34 views Asked by At

For this Splunk query:

index=* | eval case(status="200", "is successful", status="300", is redirect, status="400", "is error", 1=1", is did not match")

I expected that I would get a result with a list of 200 as successful & 300 is as redirect 400 as error, but my eval command as error

splunk splunk-query splunk-dashboard splunk-formula splunk-calculation
Original Q&A
1

There are 1 answers

0
Mads Hansen On

There appear to be a couple of issues with your use of the case statement.

  1. You need to assign the result of the case statement to a field that can be used.

  2. The quotes for your values are not correct. is redirect doesn't have any, and is did not match" has a trailing quote, but not a leading quote.

  3. You should use == and not = when testing the status values.

  4. You need to do something with the results of your case

Try something like this:

index=* 
| eval label = case(status=="200", "is successful", status=="300", "is redirect", status=="400", "is error", 1=1", "is did not match")
| stats count by label

Related Questions in SPLUNK

Related Questions in SPLUNK-QUERY

Related Questions in SPLUNK-DASHBOARD

Related Questions in SPLUNK-FORMULA

Related Questions in SPLUNK-CALCULATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions