https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129632#M35275 <P>Sorry my bad. Its was indded a syntax from my end. Thank you so much for your help, Martin.</P> Sun, 08 Feb 2015 01:05:11 GMT ashabc 2015-02-08T01:05:11Z https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129628#M35271 <P>I am using a search command to rename ip address output to device names something like below:</P> <PRE><CODE>sourcetype=syslog | eval srcip = case(srcip = "192.168.x.5","Samsung S4", srcip = "192.168.x.8","iPhone5", srcip = "192.168.x.10","Laptop") | rename "srcip" as "Device Name" | stats count by "Device Name" </CODE></PRE> <P>The problem is with the above command is, it only displays the devices that are in the case statement. How can I display all the devices in the sourcetype/log both defined in the case statement and those are not defined (the IP address instead of name is fine for the devices which are not defined in the case statement). For example there could be a device in the logfile with srcip=192.168.x.21 which is not defned in the case statement, and hence will not show in the output, but I would lke this device be displayed as 192.168.x.21 in the stats command output.</P> Sat, 07 Feb 2015 10:05:33 GMT https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129628#M35271 ashabc 2015-02-07T10:05:33Z https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129629#M35272 <P>You need to do the eval and rename after your stats: </P> <PRE><CODE>sourcetype=syslog | stats count by srcip | eval srcip = case(srcip = "192.168.x.5","Samsung S4", srcip = "192.168.x.8","iPhone5", srcip = "192.168.x.10","Laptop", true(), srcip) | rename "srcip" as "Device Name" </CODE></PRE> Sat, 07 Feb 2015 13:32:43 GMT https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129629#M35272 _d_ 2015-02-07T13:32:43Z https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129630#M35273 <P>Make your <CODE>case()</CODE> keep the original value for unknown values like this:</P> <PRE><CODE>... | eval srcip = case(srcip = "192.168.x.5","Samsung S4", srcip = "192.168.x.8","iPhone5", srcip = "192.168.x.10","Laptop", 1=1, srcip) </CODE></PRE> <P>As an entirely different alternative, define a lookup table containing your known mapped values. That'll keep this knowledge out of potentially many searches.</P> Sat, 07 Feb 2015 14:11:26 GMT https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129630#M35273 martin_mueller 2015-02-07T14:11:26Z https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129631#M35274 <P>Thank you Martin for responding to my post. When I use the command you suggested, it throws an error "Unknown search command 'case'. "<BR /> Any syntax issue in 1=1, srcip ?</P> Sun, 08 Feb 2015 00:59:32 GMT https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129631#M35274 ashabc 2015-02-08T00:59:32Z https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129632#M35275 <P>Sorry my bad. Its was indded a syntax from my end. Thank you so much for your help, Martin.</P> Sun, 08 Feb 2015 01:05:11 GMT https://community.splunk.com/t5/Splunk-Search/Eval-for-known-and-unknown-field-values/m-p/129632#M35275 ashabc 2015-02-08T01:05:11Z