https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594621#M206961 <P>Thank you for your reply. I want to create a base search for ITSI KPI configuration. That's why I need it to be extracted and create a single field for it.</P> Thu, 21 Apr 2022 09:24:17 GMT syazwani 2022-04-21T09:24:17Z https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594617#M206959 <P>Hi peeps,&nbsp;</P> <P>I need help to fine tune this query;</P> <PRE>index=network sourcetype=ping<BR />| eval pingsuccess=case(match(ping_status, "succeeded"), Number)</PRE> <P>Basically, I want to create a new field for ping success that will show the event count as values.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="syazwani_0-1650532081422.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19173i81BC4B7319682C2A/image-size/medium?v=v2&amp;px=400" role="button" title="syazwani_0-1650532081422.png" alt="syazwani_0-1650532081422.png" /></span></P> <P>Please help.</P> Thu, 21 Apr 2022 14:43:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594617#M206959 syazwani 2022-04-21T14:43:01Z https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594618#M206960 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/238134">@syazwani</a>,</P><P>let me understand: what are the values of ping_status?</P><P>if they are only "succeded" and "failed", you don't need anything:</P><LI-CODE lang="markup">index=network sourcetype=ping | stats count BY ping_status</LI-CODE><P>if you have more values for ping_status that you want to aggregate you could use if or case functions:</P><LI-CODE lang="markup">index=network sourcetype=ping | eval pingsuccess=if(ping_status="succeeded"), "succeeded","failed") | stats count BY pingsuccess</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Thu, 21 Apr 2022 09:19:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594618#M206960 gcusello 2022-04-21T09:19:04Z https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594621#M206961 <P>Thank you for your reply. I want to create a base search for ITSI KPI configuration. That's why I need it to be extracted and create a single field for it.</P> Thu, 21 Apr 2022 09:24:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594621#M206961 syazwani 2022-04-21T09:24:17Z https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594622#M206962 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/238134">@syazwani</a>,</P><P>using my hint are you able to create the field?</P><P>otherwise, could you describe some sample of the values of the ping_status field?</P><P>Ciao.</P><P>Giuseppe</P> Thu, 21 Apr 2022 09:28:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-search-with-CASE-and-MATCH-function/m-p/594622#M206962 gcusello 2022-04-21T09:28:13Z