topic Re: How do I use a value in an existing field to create a new field and assign output values? in Splunk Search

How do I use a value in an existing field to create a new field and assign output values?

ejohn — Mon, 07 Aug 2017 20:08:33 GMT

I'm trying to create a new field called TYPE, which is dependent on the word "summary" or "detail" appearing in the TITLE field, so I can then count by TYPE.

I successfully filtered my logs to identify reports with "summary" or "detail" in the title:

|search(title="*summary*" OR "*detail*")

Then, I tried to create TYPE and set its output values to "Report Summary" or "Detailed Report":

|eval type=if(match(title,"*summary*"), "Report Summary", match(title, "*detail*"), "Detailed Report")

I also tried doing a field extraction, but the title field does not appear in the Select Fields box to be highlighted.

I'm stuck. Please help!

Re: How do I use a value in an existing field to create a new field and assign output values?

jkat54 — Mon, 07 Aug 2017 22:22:20 GMT

Match uses regular expressions so

* matches * and .* matches everything

Try this instead:

 | eval type=if(match(title,".*summary.*"),"Report Summary",if(match(title, ".*detail.*"),"Detailed Report","Unknown Type"))

Re: How do I use a value in an existing field to create a new field and assign output values?

woodcock — Mon, 07 Aug 2017 22:43:23 GMT

Your stacked if should really be a case and your RegEx like this:

index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
                 match(title, "(?i)detail"), "Detailed Report",
                 true(), "THIS SHOULD NEVER EVER HAPPEN")

Re: How do I use a value in an existing field to create a new field and assign output values?

ejohn — Tue, 08 Aug 2017 00:35:31 GMT

Thanks for the quick response!

I tried this with * and with .* for wildcards, but I get the following error:

  Error in 'eval' command: The arguments  to the 'searchmatch' function are invalid.

Re: How do I use a value in an existing field to create a new field and assign output values?

ejohn — Tue, 08 Aug 2017 00:39:59 GMT

Thanks for responding so quickly!

This is creating the TYPE field, but it's only returning the value "unknown type". Could this have something to do with special characters in the titles?

Re: How do I use a value in an existing field to create a new field and assign output values?

jkat54 — Tue, 08 Aug 2017 11:16:49 GMT

As long as the titles are have lowercase summary or detail, it should work fine.

If summary can be upper or lower you can do this instead

  .*[sS][uU][mM][mM][aA][rR][yY].*

Same syntax for details.

Re: How do I use a value in an existing field to create a new field and assign output values?

woodcock — Tue, 08 Aug 2017 14:41:58 GMT

I was adding features to searchmatch in my mind! Try updated answer instead.

Re: How do I use a value in an existing field to create a new field and assign output values?

ejohn — Tue, 08 Aug 2017 18:18:12 GMT

I changed * to .* in the eval and it worked!

Thanks so much!

Re: How do I use a value in an existing field to create a new field and assign output values?

ejohn — Tue, 08 Aug 2017 18:24:11 GMT

Once I capitalized summary and detail it worked. Now I know how to account for upper and lower too.

Thanks for the help!

Re: How do I use a value in an existing field to create a new field and assign output values?

DalJeanis — Tue, 08 Aug 2017 18:34:41 GMT

@ejohn - if it worked, please "accept" the answer so the question will show as complete.

Re: How do I use a value in an existing field to create a new field and assign output values?

woodcock — Tue, 08 Aug 2017 19:01:25 GMT

ARGH! You are right again. That's what I get for writing RegEx in my head. I will fix the original answer (the right answer is to not have the asterisks at all).

Re: How do I use a value in an existing field to create a new field and assign output values?

jkat54 — Tue, 08 Aug 2017 22:17:58 GMT

@ejohn, since both answers worked, why don't you choose the one that runs the quickest, or consumes the least CPU/RAM or whatever you like, and then mark it as the answer and upvote both?

Re: How do I use a value in an existing field to create a new field and assign output values?

ejohn — Thu, 10 Aug 2017 18:37:04 GMT

@jkat54, thanks for the suggestion. I decided to accept the answer with the higher EPS.

Adding each eval to the rest of my search against 10 months of logs in Verbose mode:

|eval type=case(match(title...) returned 14,190 EPS

and

|eval type=if(match(title...)returned 13,408 EPS

Re: How do I use a value in an existing field to create a new field and assign output values?

ejohn — Thu, 10 Aug 2017 18:52:54 GMT

That worked too!

Re: How do I use a value in an existing field to create a new field and assign output values?

ejohn — Thu, 10 Aug 2017 18:53:47 GMT

@jkat54 and @woodcock this is my first real attempt a crowdsourcing and I like it! You guys have been awesome!

Re: How do I use a value in an existing field to create a new field and assign output values?

jkat54 — Thu, 10 Aug 2017 23:00:39 GMT

Hey @ejohn, anytime sir! That's what we do. Feel free to tag us when needed. @woodcock almost always has the best answer but I keep trying!