Multiple field values combined into two different fields

jason_hotchkiss — Tue, 27 Oct 2020 18:23:22 GMT

Hello Splunkers

I have the following field: Message

The Message fields have the following values: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

I need to create two additional fields: Success and Failure

Values for Success are: 2,4,6,10, & 12
Values for Failure are: 1,3,5,9,13

All unused values are ignored and not included in either the Success or Failure field.

I have tried the following:
| eval status=if(in(Message,"2","4","6","10","12"),"Success","Failure")

This does two things: The eval statement groups all the values in Success, correctly. However, the eval statement groups all the values in Failure, incorrectly (by including all values other than 2,4,6,10, & 12). Additionally, it groups these into a single field with two values, Success & Failure. However, I would prefer to create two new fields with just the selected values for Success & Failure.

UPDATE - I think I figured this out:

eval success=case(Message="2","2",Message="4","4",Message="6","6",Message="10","10",Message="12","12")

eval failure=case(Message="1","1",Message="3","3",Message="5","5",Message="9","9",Message="13","13")

|stats values(success) values(failures) to validate.

Is there a better way to do it? Thank you!

Re: Multiple field values combined into two different fields

ITWhisperer — Tue, 27 Oct 2020 19:23:38 GMT

How about

| eval success=if(in(Message,"2","4","6","10","12"),Message,null) | eval failure=if(in(Message,"1","3","5","9","13"),Message,null) | stats values(success) values(failure)

topic Re: Multiple field values combined into two different fields in Splunk Search

Multiple field values combined into two different fields

Re: Multiple field values combined into two different fields