topic Re: How to create a field with selected values of the same field in Splunk Search

How to create a field with selected values of the same field

umsundar2015 — Fri, 23 Nov 2018 06:39:14 GMT

Hi ,

I have OS field which has many rows .In that i need to filter only the below values and create a field ,
Windows Server 2012 R2 Standard
Windows 7
Windows Server 2012
Windows 7 Enterprise
Windows 10
Microsoft Windows Server 2008 R2 Standard
Microsoft Windows Server 2008 R2 Enterprise
Microsoft Windows 2008 Server Standard
Windows 8
Windows 10 Enterprise

When i use match function like ,
eval OS=mvfilter(match(OS,"Windows Server 2012 R2 Standard") OR match(OS,"Windows Server 2012") OR match(OS,"Windows 7")) |stats count by OS

I am getting other values "Windows 7 embedded " also which i dont need in the list of values.

Please help to filter the exact values which i needed above.

Thanks .

Re: How to create a field with selected values of the same field

vik_splunk — Fri, 23 Nov 2018 13:05:11 GMT

Hi @umsundar2015

A few different ways to do this.

1)Using replace : If your "other" options are limited, you could do something like below

|replace "Windows 7 embedded" WITH "Windows 7" IN OS (You can use wild characters and multiple values to replace in one single command.

Reference here : http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Replace

2)Using eval case : Spinning up an example without sample data is going to be difficult but a sample query will look like

|eval OS=case(match(OS,"Windows 7 embedded"),"Windows 7,..... series of such match functions(or can use simple OS==),finally a default match)

Reference here: http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/ConditionalFunctions

Hope that helps!

Re: How to create a field with selected values of the same field

vik_splunk — Mon, 21 Jan 2019 12:54:19 GMT

If this answerd your question @umsundar2015, please mark it as closed/upvote.