topic Create a new field/column on an event based on another field? in Splunk Search

Create a new field/column on an event based on another field?

hariivendiran — Wed, 22 Jun 2016 20:48:14 GMT

I am new to Splunk and I am creating a dashboard with events. I would like to create a new field on the event which will have a value based on another field.

P.S I already included the existing field as part of search .

For example:

When existing field has 'XXX' in it, I need to populate 'ABC' in the new field and 'YYY' as 'CDE'

Re: Create a new field/column on an event based on another field?

sundareshr — Wed, 22 Jun 2016 21:39:36 GMT

Try this

... | eval newfield=case(existingfield="XXX", "AAA", existingfield="YYY", "CDE", 1=1, null()) | ...

Re: Create a new field/column on an event based on another field?

woodcock — Fri, 24 Jun 2016 02:19:30 GMT

Your sentence can be read 2 ways. @sundareshr has interpreted and answered it one way, here is the other:

... | eval newfield=if(existingfield="XXX", "AAA", null()) | eval YYY=if(existingfield="XXX", "CDE", null()) | ...