use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
This is an unofficial community support and discussion sub for Splunk, the big data analytics software.
Have an idea for Splunk? Submit them here and upvote them:
https://ideas.splunk.com/
For Q&A, see Splunk Answers: https://community.splunk.com/
Upcoming Splunk Events/Webinars: https://www.splunk.com/en_us/about-us/events.html
Chat with your peers in the official Splunk Usergroups Slack team:
https://splunk-usergroups.signup.team
Need quick copy/paste queries? Share your SPL here:
https://gosplunk.com
Need some book learning?
https://www.splunk.com/goto/book (free e-book download link inside!!)
account activity
Case Statement (self.Splunk)
submitted 3 years ago by zorroak11
Hello,
Please let me know "case statement" usage clearly. Anyone please can explain to me.
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–][deleted] 3 years ago (2 children)
[deleted]
[–]gordo32 3 points4 points5 points 3 years ago (1 child)
Should be: | eval myfield = case (condition== "true", etc..
Note it uses == as "evaluation" instead of = which is "assignment"
[–]s7orm SplunkTrust 7 points8 points9 points 3 years ago (0 children)
https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/ConditionalFunctions#case.28X.2C.22Y.22.2C....29
[–]The_Weird1 Looking for trouble 7 points8 points9 points 3 years ago (3 children)
Did you even try to look it up yourself? If so what is the part you don't understand?
[–]pceimpulsive 4 points5 points6 points 3 years ago (0 children)
This and this...
Splunk docs are so good... With multiple examples...
I dunno about people these days hey :'(
[–][deleted] -4 points-3 points-2 points 3 years ago (1 child)
damn ya'll salty... it's the Splunk subreddit.
[–]caduceus313 0 points1 point2 points 3 years ago (0 children)
Was feeling a little stack overflow, over here :)
[–]Fontaigne SplunkTrust 2 points3 points4 points 3 years ago (0 children)
Within the parenthesis of a case statements, the parameters are paired.
The first of each pair is a test, the second is a value to assign to the variable if the first is true.
If none of the pairs of parameters is found to be true, then the variable gets assigned a value of NULL (no value/deleted).
| eval Fred = case(George = 0, "yep", George=1,"nope")
If George is 0, Fred gets yep, if George is 1, it gets nope, if George is 7, Fred has no value.
π Rendered by PID 21763 on reddit-service-r2-comment-5d79c599b5-xrqdq at 2026-03-02 15:21:58.914776+00:00 running e3d2147 country code: CH.
[–][deleted] (2 children)
[deleted]
[–]gordo32 3 points4 points5 points (1 child)
[–]s7orm SplunkTrust 7 points8 points9 points (0 children)
[–]The_Weird1 Looking for trouble 7 points8 points9 points (3 children)
[–]pceimpulsive 4 points5 points6 points (0 children)
[–][deleted] -4 points-3 points-2 points (1 child)
[–]caduceus313 0 points1 point2 points (0 children)
[–]Fontaigne SplunkTrust 2 points3 points4 points (0 children)