topic Re: Is it possible to extract results of an eval match as fields? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227135#M67047 <P>Hi, did any of the comments below help you on this?<BR /> If yes, can you mark it as answered?<BR /> If not, is there any else we can do to help?<BR /> Unanswered questions make me sad <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Mon, 09 May 2016 16:36:00 GMT javiergn 2016-05-09T16:36:00Z Is it possible to extract results of an eval match as fields? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227130#M67042 <P>Is it possible to do something like this:</P> <PRE><CODE>...|eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man") |code_I_am_looking_for | stats count by Boy,Girl,Man </CODE></PRE> <P>Thanks in advance</P> Sun, 01 May 2016 15:47:43 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227130#M67042 ibekacyril 2016-05-01T15:47:43Z Re: Is it possible to extract results of an eval match as fields? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227131#M67043 <P>Have you tried just </P> <PRE><CODE>...|eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man") | stats count by Classification </CODE></PRE> <P>?</P> Mon, 02 May 2016 01:09:09 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227131#M67043 Richfez 2016-05-02T01:09:09Z Re: Is it possible to extract results of an eval match as fields? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227132#M67044 <P>No, that's not what I want. Doing a stat count by classification lists Boy,Girl,Man under Classification. I want to split the match into fields if possible, then do stats count on the new fields</P> Mon, 02 May 2016 01:35:44 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227132#M67044 ibekacyril 2016-05-02T01:35:44Z Re: Is it possible to extract results of an eval match as fields? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227133#M67045 <P>Have you tried with chart?</P> <PRE><CODE>| eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man") | chart count over class by Classification | fields - class </CODE></PRE> <P>Alternatively, if you you know the name of your fields in advanced you could also do:</P> <PRE><CODE>| eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man") | eval Boy = if (Classification == "Boy", 1, 0) | eval Girl = if (Classification == "Girl", 1, 0) | eval Man = if (Classification == "Man", 1, 0) | stats sum(*) as * </CODE></PRE> Mon, 02 May 2016 05:08:41 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227133#M67045 javiergn 2016-05-02T05:08:41Z Re: Is it possible to extract results of an eval match as fields? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227134#M67046 <P>From your response to my other Answer, maybe this answer will suit your need better.</P> <PRE><CODE>... | stats count(eval(match(class, "Boy"))) AS "Boy" count(eval(match(class, "Girl"))) AS "Girl" count(eval(match(class, "Man"))) AS "Man" </CODE></PRE> <P>That gets rid of a lot of complexity but should end up with an output like your description "I want to split the match into fields if possible, then do stats count on the new fields"</P> <P>Give that a try and let us know! </P> Mon, 02 May 2016 14:04:14 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227134#M67046 Richfez 2016-05-02T14:04:14Z Re: Is it possible to extract results of an eval match as fields? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227135#M67047 <P>Hi, did any of the comments below help you on this?<BR /> If yes, can you mark it as answered?<BR /> If not, is there any else we can do to help?<BR /> Unanswered questions make me sad <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Mon, 09 May 2016 16:36:00 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227135#M67047 javiergn 2016-05-09T16:36:00Z Re: Is it possible to extract results of an eval match as fields? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227136#M67048 <P>Hi Javiergn, sorry about the late response, your answer was very helpful</P> Wed, 18 May 2016 02:36:31 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-extract-results-of-an-eval-match-as-fields/m-p/227136#M67048 ibekacyril 2016-05-18T02:36:31Z