Splunk Cloud Platform

Help with Eval command!!

chinmay25
Path Finder

I am using the following eval command. I want the type column to pick up both the sources.

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type= case(source=smf014,Input,source=smf015,Output, (source=smf015 and source=smf014),Both)
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

I would appreciate the help.

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @chinmay25,

Please try below, I think it is case sensitivity;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%SMF014","Input",source LIKE "%SMF015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @chinmay25,

I believed that you want to see "Input" , "Output" or "Both" as text in Type field. The search result must have showing these values. Do you mean Input, Output and Both as another field name? Do you want to see the values of these fields on Type field?

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

chinmay25
Path Finder

Hi Scelikok,

I want the result table to have the following column for type. It should not have "Both" in it. In place of SMF014 I want Input and In place of SMF015 I want Output in the Type Column.

Type
Input
Input
Input
Input
Output
Input
Output
Input
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @chinmay25,

I got the problem now, it was not supposed to show all as "Both". Please try below;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(source="smf014","Input",source="smf015","Output",1=1,"Both")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

chinmay25
Path Finder

Hi,

I tried your latest command with 1=1, "Both". The table still shows Both and not Input or Output.

Type
Both
Both
Both
0 Karma

chinmay25
Path Finder

And If i try the if command, i get a blank column.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Is it possible to be all events are coming from both sources? Can you please show the stats command output before eval?

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

chinmay25
Path Finder

This is the result just after the stats command.

chinmay25_0-1611612377322.png

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Ok, source is not exact match to smf014 or smf015. Please try below;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%smf014","Input",source LIKE "%smf015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

chinmay25
Path Finder

Hi Scelikok,

Unfortunately, its still not picking up anything in the Type column.

The Type column is blank.

 

Chinmay.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @chinmay25,

Please try below, I think it is case sensitivity;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%SMF014","Input",source LIKE "%SMF015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
If this reply helps you an upvote and "Accept as Solution" is appreciated.

chinmay25
Path Finder

Thank you. This solution works.

I had used the append command to make it work, but this is more efficient.

Regards,

Chinmay.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @chinmay25,

Please try below;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type= case(source=smf014,"Input",source=smf015,"Output",1=1,"Both")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

chinmay25
Path Finder

Hi Scelikok,

 

Thank you for the help. It does work. 

However, I may have defined the problem incorrectly. 

What I expect the Type column to pick up is INPUT in place of SMF014 and OUTPUT in place of SMF015.

Looking forward to your suggesstion.

 

Chinmay.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...