topic Re: Can I add constant field/value conditionally? in Splunk Search

Can I add constant field/value conditionally?

yk010123 — Wed, 03 May 2023 18:21:20 GMT

I have the following query:

"MyToken" status >= 400 | stats count by status,action

That produces a table like :

status	action	count
404	action1	20
500	action2	30
400	action3	50

I would like to add a constant "description" depending on the status so that for example the output looks like :

status	action	count	description
404	action1	20	NOT FOUND
500	action2	30	INTERNAL ERROR
400	action3	50	INVALID Request

The description should map from the status

Re: Can I add constant field/value conditionally?

rut — Wed, 03 May 2023 18:39:25 GMT

Hi @yk010123, you can map a lookup file to the status codes using the following command:

| lookup http_status_codes_lookup.csv status OUTPUT description

This assumes you have a lookup file containing the fields status and description. If you don't yet have a lookup, you can add one through settings, lookups. You could start by getting a prefilled csv file at iana:

https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml

https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv

You can read more about adding lookups over here:

https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Usefieldlookupstoaddinformationtoyourevents

Re: Can I add constant field/value conditionally?

seemanshu — Wed, 03 May 2023 18:47:13 GMT

Hi @yk010123 ,

You may use the following eval case to map the description with your status code,

| eval description=case(status=="404","NOT FOUND",status==500,"INTERNAL ERROR",status=="400","INVALID Request",1=1,"NULL")

Kindly support the answer if found helpful.