Splunk Cloud
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Help with Eval command!!

chinmay25
Path Finder

I am using the following eval command. I want the type column to pick up both the sources.

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type= case(source=smf014,Input,source=smf015,Output, (source=smf015 and source=smf014),Both)
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

I would appreciate the help.

Labels (1)
0 Karma
1 Solution

scelikok
Champion

Hi @chinmay25,

Please try below, I think it is case sensitivity;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%SMF014","Input",source LIKE "%SMF015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
Champion

Hi @chinmay25,

I believed that you want to see "Input" , "Output" or "Both" as text in Type field. The search result must have showing these values. Do you mean Input, Output and Both as another field name? Do you want to see the values of these fields on Type field?

 

If this reply helps you an upvote is appreciated.
0 Karma

chinmay25
Path Finder

Hi Scelikok,

I want the result table to have the following column for type. It should not have "Both" in it. In place of SMF014 I want Input and In place of SMF015 I want Output in the Type Column.

Type
Input
Input
Input
Input
Output
Input
Output
Input
0 Karma

scelikok
Champion

Hi @chinmay25,

I got the problem now, it was not supposed to show all as "Both". Please try below;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(source="smf014","Input",source="smf015","Output",1=1,"Both")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

If this reply helps you an upvote is appreciated.
0 Karma

chinmay25
Path Finder

Hi,

I tried your latest command with 1=1, "Both". The table still shows Both and not Input or Output.

Type
Both
Both
Both
0 Karma

chinmay25
Path Finder

And If i try the if command, i get a blank column.

0 Karma

scelikok
Champion

Is it possible to be all events are coming from both sources? Can you please show the stats command output before eval?

 

If this reply helps you an upvote is appreciated.
0 Karma

chinmay25
Path Finder

This is the result just after the stats command.

chinmay25_0-1611612377322.png

 

0 Karma

scelikok
Champion

Ok, source is not exact match to smf014 or smf015. Please try below;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%smf014","Input",source LIKE "%smf015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

If this reply helps you an upvote is appreciated.
0 Karma

chinmay25
Path Finder

Hi Scelikok,

Unfortunately, its still not picking up anything in the Type column.

The Type column is blank.

 

Chinmay.

0 Karma

scelikok
Champion

Hi @chinmay25,

Please try below, I think it is case sensitivity;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%SMF014","Input",source LIKE "%SMF015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
If this reply helps you an upvote is appreciated.

View solution in original post

chinmay25
Path Finder

Thank you. This solution works.

I had used the append command to make it work, but this is more efficient.

Regards,

Chinmay.

0 Karma

scelikok
Champion

Hi @chinmay25,

Please try below;

index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type= case(source=smf014,"Input",source=smf015,"Output",1=1,"Both")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type

 

If this reply helps you an upvote is appreciated.
0 Karma

chinmay25
Path Finder

Hi Scelikok,

 

Thank you for the help. It does work. 

However, I may have defined the problem incorrectly. 

What I expect the Type column to pick up is INPUT in place of SMF014 and OUTPUT in place of SMF015.

Looking forward to your suggesstion.

 

Chinmay.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!