topic Re: Splunk search eval or other command in Splunk Search

Splunk search eval or other command

Harikiranjammul — Fri, 16 May 2025 10:47:24 GMT

Have events like below

1) date-Timestamp

Server - hostname

Status - host is down

Threshold - unable to ping

Date-Timestamp

Db - dbname

Status- database is down

Instance status- DB instance is not available

I would need to write Eval condition and create new field description that if field status is " database is down" , I need to add date, dB, status, Instances status fields to description field

And if status is host down, need to add date,server, status, threshold to description field.

Re: Splunk search eval or other command

ITWhisperer — Fri, 16 May 2025 11:28:30 GMT

| eval description=case(Status="host is down",Date.",".Server.",".Status.",".Threshold,Status="database is down",Date.",".Db.",".Status.",".'Instance status')

Re: Splunk search eval or other command

livehybrid — Fri, 16 May 2025 12:22:41 GMT

Hi @Harikiranjammul

Use an eval statement with a conditional to build the description field based on the value of status.

|makeresults | eval Server="host1", Status="host is down", Threshold="unable to ping"
| append [| makeresults | eval Db="db1", Status="database is down", Instance_status="DB instance is not available"]
| eval date=strftime(_time, "%d/%m/%Y %H:%M:%S")
| eval description=case(
Status=="database is down", "date=" . date . " Db=" . Db . " Status=" . Status . " Instance_status=" . Instance_status,
Status=="host is down", "date=" . date . " Server=" . Server . " Status=" . Status . " Threshold=" . Threshold
)

This SPL checks the Status field and constructs the description field by concatenating the relevant fields for each case.

Ensure your field names match exactly (case-sensitive) and are extracted correctly before using this logic.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Splunk search eval or other command

Harikiranjammul — Fri, 16 May 2025 13:02:34 GMT

Thank you

How can I use eval like here?

I mean here status field contains someother text before and after the 'Host is down' and 'database is down' values and it varies every event.

just wanted to put status=like(*host is down*)

Re: Splunk search eval or other command

livehybrid — Fri, 16 May 2025 14:01:14 GMT

Hi @Harikiranjammul

If you can, restrict the first part of the search by adding

(Status="*host is down* OR Status="*Some other criteria*")

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Splunk search eval or other command

ITWhisperer — Fri, 16 May 2025 15:22:22 GMT

| eval description=case(like(Status,"%host is down%"),Date.",".Server.",".Status.",".Threshold,like(Status,"%database is down%"),Date.",".Db.",".Status.",".'Instance status')