topic Re: Is there a better way to write EVAL to modify information in a chart in Splunk Search https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141457#M39190 <P>Hi kashanky143,</P> <P>Look this: </P> <PRE><CODE>| chart values(Item3Count) by Source | eval Item3Count=if(match(source,"item1") OR match(source,"item2") OR match(source,"item4"),0,Item3Count) </CODE></PRE> Mon, 13 Apr 2015 07:17:44 GMT ngatchasandra 2015-04-13T07:17:44Z Is there a better way to write EVAL to modify information in a chart https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141453#M39186 <P>Hi </P> <P>I have the query which yields the results i want, but i would like to know if there's a cleaner way to achieve my goal.</P> <P>I have the following table <BR /> Source ------------------------- Item3Count<BR /> Item1 ----------------------------- 1<BR /> Item2 ----------------------------- 1<BR /> Item3 ----------------------------- 22<BR /> Item4 ----------------------------- 1</P> <P>I would like to modify the above table to look like this (should show count value for item3 only)<BR /> Source ------------------------- Item3Count<BR /> Item1 ----------------------------- 0<BR /> Item2 ----------------------------- 0<BR /> Item3 ----------------------------- 22<BR /> Item4 ----------------------------- 0</P> <P>Currently my query looks like this ... It works but i feel like its too many lines of query to make small modification. Please let me know if there's a better way to write the same query</P> <P>| chart values(Item3Count) by Source <BR /> | eval Item3Count=if(match(source,"item1"),0,Item3Count) <BR /> | eval Item3Count=if(match(source,"item2"),0,Item3Count) <BR /> | eval Item3Count=if(match(source,"item4"),0,Item3Count) </P> <P>Thanks<BR /> Sheshank</P> Sat, 11 Apr 2015 21:28:31 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141453#M39186 kshanky143 2015-04-11T21:28:31Z Re: Is there a better way to write EVAL to modify information in a chart https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141454#M39187 <P>You really only need one of these for the "item3" row. The way you're doing it is harder cause you have to match all the other rows. Better to do the reverse and match only the one you want. The rest will get zeros when source does not match "item 3".</P> <PRE><CODE>| eval Item3Count=if(match(source,"item3"),0,Item3Count) </CODE></PRE> Sat, 11 Apr 2015 21:43:42 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141454#M39187 sideview 2015-04-11T21:43:42Z Re: Is there a better way to write EVAL to modify information in a chart https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141455#M39188 <P>Do you mean this .. ? I think u missed '!'<BR /> | eval Item3Count=if(!match(source,"item3"),0,Item3Count) </P> Sat, 11 Apr 2015 23:05:49 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141455#M39188 kshanky143 2015-04-11T23:05:49Z Re: Is there a better way to write EVAL to modify information in a chart https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141456#M39189 <P>Oh right. You want the other way around. Sorry.</P> <P>| eval Item3Count=if(match(source,"item3"),Item3Count,0) </P> Sat, 11 Apr 2015 23:24:27 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141456#M39189 sideview 2015-04-11T23:24:27Z Re: Is there a better way to write EVAL to modify information in a chart https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141457#M39190 <P>Hi kashanky143,</P> <P>Look this: </P> <PRE><CODE>| chart values(Item3Count) by Source | eval Item3Count=if(match(source,"item1") OR match(source,"item2") OR match(source,"item4"),0,Item3Count) </CODE></PRE> Mon, 13 Apr 2015 07:17:44 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141457#M39190 ngatchasandra 2015-04-13T07:17:44Z Re: Is there a better way to write EVAL to modify information in a chart https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141458#M39191 <P>Hi kshanky143 <BR /> You can also use this :</P> <PRE><CODE> ....|replace 1 with 0 in Item3Count </CODE></PRE> Mon, 13 Apr 2015 07:50:03 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141458#M39191 chimell 2015-04-13T07:50:03Z Re: Is there a better way to write EVAL to modify information in a chart https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141459#M39192 <P>Item1, Item2, Item3 can have any value.</P> Tue, 14 Apr 2015 00:49:13 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-better-way-to-write-EVAL-to-modify-information-in-a/m-p/141459#M39192 kshanky143 2015-04-14T00:49:13Z