topic Re: How to write an eval search to fetch the value of field2 corresponding to field1? in Splunk Search

How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Fri, 08 Jan 2016 07:15:25 GMT

Hi all,

How do I write an eval statement to fetch the value of field2 corresponding to field1?
For example, consider the table below:

field1  field2
Orange  10
apple    12
potato  13

If field1 value is orange, I want to assign a value of abc as corresponding field2 ..here it is 10
..|eval abc= value of field2 for orange..

Kindly help me in writing the search.

Thanks in advance
Muthu

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

javiergn — Fri, 08 Jan 2016 07:25:54 GMT

Try this:

yoursearch | eval field2 = if(match(field1,"Orange")), field1, field2)

If field1 matches Orange, then assign field1 to field2, else assign field2

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Fri, 08 Jan 2016 07:34:57 GMT

thanks for your reply:
Here im trying to create another field3
as per your suggestion im getting output like
field1 field2 field3
Orange 10 10
apple 12 12
potato 13 13

but i would like to have result as below:
field1 field2 field3
Orange 10 10
apple 12 10
potato 13 10

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

renjith_nair — Fri, 08 Jan 2016 07:41:41 GMT

<your search> |eval abc=if(field1=="Orange",field2,"")|eventstats values(abc) as abc

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

fdi01 — Fri, 08 Jan 2016 08:20:31 GMT

try:
yoursearch| eval abc= if(match(field1,"Orange")), field2, field2) | eval field3 = if(match(field1,"Orange")), field2, abc)

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

javiergn — Fri, 08 Jan 2016 08:36:44 GMT

Hi, so assuming you want to set the value of field3 in ALL your events to be field2 when field1 matches Orange, this is what I would do:

| inputcsv mycsv.csv
| join type=left [
   | inputcsv mycsv.csv
   | search field1 = "Orange"
   | eval fieldNEW = field2
   | fields fieldNEW
]
| eval field3 = fieldNEW
| fields - fieldNEW

mycsv.csv is just a csv matching the content of your table:

field1  field2  field3
Orange  10  11
apple   12  12
potato  13  13

And the query returns the following:

field1  field2  field3
Orange  10  10
apple   12  10
potato  13  10

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Fri, 08 Jan 2016 10:32:59 GMT

Hi,
also here if i want to save the value of field2 corresponding to filed1 value orange say here is 10 as another variable abc..how can i do that?

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

renjith_nair — Fri, 08 Jan 2016 10:58:35 GMT

Have you tried the search posted by me?

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

fdi01 — Fri, 08 Jan 2016 11:10:58 GMT

thx Mr renjith.nair you are right

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Mon, 11 Jan 2016 05:54:56 GMT

yes it is working for me..thx

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Mon, 11 Jan 2016 07:38:15 GMT

hi all,
With your previous suggestion i can able to create a parameter like in field3,but i want field pass and fail should get calculated like below.

Need your help!

field1 field2 field3 pass fail
Orange 10 10 10 0
apple 9 10 9 1
potato 7 10 7 3

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

renjith_nair — Mon, 11 Jan 2016 08:10:33 GMT

Pass or fail based on what and how?

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Mon, 11 Jan 2016 09:22:27 GMT

Pass = field3-field2
fail = field2-field3

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

renjith_nair — Mon, 11 Jan 2016 09:39:18 GMT

Did you try |eval Pass=field3-field2|eval Fail=Field2-Field2 ?

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Mon, 11 Jan 2016 09:55:29 GMT

yes i did Ranjith, but unfortunately im getting result for only one row not for all rows..Actually i'm struck here..

field1 field2 field3 pass fail
Orange 10 10 10 0
apple 9 10
potato 7 10

How to make this calculations happen to all rows?

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Mon, 11 Jan 2016 10:03:20 GMT

what i'm trying to do here is:
step1: i will check for field1 value..if it is orange
step2: fetch the corresponding value in field2..here the value is 10
step3: Assign this value to abc..such that abc=10
step4: eval new field pass =field2-abc..if it is equal to zero then value =abc else
step5: eval new field fail - gives the difference and provide me the difference.

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

renjith_nair — Mon, 11 Jan 2016 10:32:29 GMT

Try this

your search
|eval field3=if(field1=="Orange",field2,"")|eventstats values(field3) as field3
|eval field3=mvindex(field3,1)|eval status=if(field2==field3,field2,(field2-field3))
|table sourcetype field2 field3 status

   your search
    |eval field3=if(field1=="Orange",field2,"")|eventstats values(field3) as field3
    |eval field3=mvindex(field3,1)|eval status=if(field2==field3,"Pass (".field2.")","Fail (".(field2-field3).")")
    |table sourcetype field2 field3 status

Your search
|eval field3=if(field1=="Orange",field2,"")|eventstats values(field3) as field3
|eval field3=mvindex(field3,1)|eval pass=if(field2==field3,field2,"")|eval fail=if(field2==field3,"",(field2-field3))
|table sourcetype field2 field3 pass fail

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

muthvin — Mon, 11 Jan 2016 10:54:25 GMT

will you be able to explain me why we need to use mvindex here after assigning values(field3) as field3 ?

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

renjith_nair — Mon, 11 Jan 2016 12:03:11 GMT

Because in eventstats we are taking values(field3) which is a list includes "" and value. To get the value from a multivalue field we use mvindex
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Parsemultivaluefields