https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477424#M133983 <P>That stats command only works for events with both MANAGER_NAME1 and MANAGER_NAME2 fields populated. I'm guessing that is not the case?</P> <P>Also: your first case statement is missing the <CODE>"</CODE> characters around the <CODE>XZ*</CODE> etc.<BR /> Also: <CODE>MANAGER_NAME=="XZ*" OR MANAGER_NAME=="X*" OR MANAGER_NAME=="XY"</CODE> is a bit silly. Since you include "X*" as one of the options, that already covers the other two cases.<BR /> Anyway, you cannot use wildcards there.</P> <P>You'd probably want to put it all into 1 case statement and use the <CODE>match()</CODE> function. E.g.:</P> <PRE><CODE>index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(match(MANAGER_NAME,"^X.*"),"Prd",match(AMONAME,"^YL.*"),Dev,match(AMONAME,"^ZN.*"),QAT) | stats count by MANAGER_NAME1 </CODE></PRE> <P>If that is not what you are after, please describe in more detail what your data looks like and what the result would be that you want out of this.</P> Wed, 30 Sep 2020 02:51:41 GMT FrankVl 2020-09-30T02:51:41Z https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477423#M133982 <P>Hello, I'm trying to rename query output and those are string values.<BR /> expecting output for field MANAGER_NAME would be like below,<BR /> <CODE>XZ* = PRD<BR /> X* = PRD<BR /> XY = PRD<BR /> YL = DEV<BR /> ZN = QAT</CODE></P> <P>tried with below query but it's not working any suggestions?</P> <PRE><CODE>index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(MANAGER_NAME==XZ* OR MANAGER_NAME==X* OR MANAGER_NAME==XY,"Prd") | eval MANAGER_NAME2=case(AMONAME=="YL*",Dev,AMONAME=="ZN*",QAT) | stats count by MANAGER_NAME1 ,MANAGER_NAME2 </CODE></PRE> Fri, 08 Nov 2019 05:58:21 GMT https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477423#M133982 nagarajsf 2019-11-08T05:58:21Z https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477424#M133983 <P>That stats command only works for events with both MANAGER_NAME1 and MANAGER_NAME2 fields populated. I'm guessing that is not the case?</P> <P>Also: your first case statement is missing the <CODE>"</CODE> characters around the <CODE>XZ*</CODE> etc.<BR /> Also: <CODE>MANAGER_NAME=="XZ*" OR MANAGER_NAME=="X*" OR MANAGER_NAME=="XY"</CODE> is a bit silly. Since you include "X*" as one of the options, that already covers the other two cases.<BR /> Anyway, you cannot use wildcards there.</P> <P>You'd probably want to put it all into 1 case statement and use the <CODE>match()</CODE> function. E.g.:</P> <PRE><CODE>index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(match(MANAGER_NAME,"^X.*"),"Prd",match(AMONAME,"^YL.*"),Dev,match(AMONAME,"^ZN.*"),QAT) | stats count by MANAGER_NAME1 </CODE></PRE> <P>If that is not what you are after, please describe in more detail what your data looks like and what the result would be that you want out of this.</P> Wed, 30 Sep 2020 02:51:41 GMT https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477424#M133983 FrankVl 2020-09-30T02:51:41Z https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477425#M133984 <P>Hello @FrankVl ,</P> <P>Added example values above query.<BR /> I trying as you suggested but it giving me only first value <CODE>Prd</CODE>, but I need all matching values to <CODE>Prod, Dev, QAT</CODE></P> <PRE><CODE>index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(match(MANAGER_NAME,"^prdplhdpx*"),"Prd",match(AMONAME,"^qatehdp*"),"Dev",match(AMONAME,"^devehdp*"),"QAT") | stats count by MANAGER_NAME1 </CODE></PRE> <P>I want to create a dropdown dashboard based on selection of the environment. </P> Fri, 08 Nov 2019 18:59:24 GMT https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477425#M133984 nagarajsf 2019-11-08T18:59:24Z https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477426#M133985 <P>If that search only gives you a Prd result, there is probably something incorrect in the criteria of the case statement. Note: match uses regular expressions, which are case sensitive.</P> <P>Run the search without the <CODE>stats count</CODE> part and see if the <CODE>MANAGER_NAME1</CODE> is populated correctly for all events.</P> Mon, 11 Nov 2019 09:11:34 GMT https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477426#M133985 FrankVl 2019-11-11T09:11:34Z https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477427#M133986 <P>Yes, I ran query without or with <CODE>stats count</CODE>, in both cases, it is giving value of which match provided in the case. </P> <P>For instance if I gave <CODE>match(MANAGER_NAME,"^prdplhdpx*"),"Prd"</CODE> in a first place of <CODE>case</CODE> then giving matched value of it and its not considering other match options, <CODE>match(AMONAME,"^qatehdp*"),"Dev",match(AMONAME,"^devehdp*"),"QAT")</CODE>.</P> <P>basically <CODE>MANAGER_NAME1</CODE> value is populating first match of <CODE>case</CODE> and it's ignoring other options</P> Fri, 15 Nov 2019 21:08:20 GMT https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477427#M133986 nagarajsf 2019-11-15T21:08:20Z https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477428#M133987 <P>Can you show a sample of your data showing the MANAGER_NAME and AMONAME fields and the result of the case statement as it is put into MANAGER_NAME1?</P> Wed, 30 Sep 2020 03:05:50 GMT https://community.splunk.com/t5/Splunk-Search/rename-the-search-results-for-multiple-conditions/m-p/477428#M133987 FrankVl 2020-09-30T03:05:50Z