Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: Eval statement help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI All,
I need your help in getting a value set for a particular keyword matching 2 parameters with eval statement.
Below is my query.
index=itsm
~truncated~
| eval CRITICAL=if(Impact="1-Extensive" AND Urgency="1-Critical",1,0)
| eval CRITICAL=if(Impact="2-Significant" AND Urgency="1-Critical",1,0)
| eval CRITICAL=if(Impact="1-Extensive" AND Urgency="2-High",1,0)
| eval HIGH=if(Impact="2-Significant" AND Urgency="3-Medium",1,0)
| eval HIGH=if(Impact="2-Significant" AND Urgency="4-Low",1,0)
| eval HIGH=if(Impact="2-Significant" AND Urgency="2-High",1,0)
| eval HIGH=if(Impact="1-Extensive" AND Urgency="3-Medium",1,0)
| eval HIGH=if(Impact="1-Extensive" AND Urgency="4-Low",1,0)
| eval MEDIUM=if(Impact="3-Moderate" AND Urgency="1-Critical",1,0)
| eval MEDIUM=if(Impact="3-Moderate" AND Urgency="2-High",1,0)
| eval MEDIUM=if(Impact="3-Moderate" AND Urgency="3-Medium",1,0)
| eval MEDIUM=if(Impact="4-Minor" AND Urgency="1-Critical",1,0)
| eval MEDIUM=if(Impact="4-Minor" AND Urgency="2-High",1,0)
| eval LOW=if(Impact="3-Moderate" AND Urgency="4-Low",1,0)
| eval LOW=if(Impact="4-Minor" AND Urgency="4-Low",1,0)
| eval LOW=if(Impact="4-Minor" AND Urgency="3-Medium",1,0)
| table Incident_Number, Impact, Urgency, CRITICAL, HIGH, MEDIUM, LOW
I will get Incident_Number, Impact and Urgency from the index. I tried above combination, but am not getting exact value.
CRITICAL, HIGH, MEDIUM, LOW : are the combination of impact and urgency.
below is the table that am looking for. please help me with this.
Incident_Number | Impact | Urgency | CRITICAL | HIGH | MEDIUM | LOW |
INC000013677484 | 4-Minor | 4-Low | 0 | 0 | 0 | 1 |
INC000013677686 | 2-Significant | 2-High | 0 | 1 | 0 | 0 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's look at the following example:
You got an event with impact="1-Extensive" and Urgency="1-critical"
your first eval sets CRITICAL to TRUE.
Your second eval sets CRITICAL to FALSE as your third one does.
You can solve your problem by using a case statement:
| eval CRITICAL=case(Impact="1-Extensive" AND Urgency="1-Critical",1,
Impact="2-Significant" AND Urgency="1-Critical",1,
Impact="1-Extensive" AND Urgency="2-High",1,
1=1,0)
repeat above approach with your eval HIGH, MEDIUM and LOW
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's look at the following example:
You got an event with impact="1-Extensive" and Urgency="1-critical"
your first eval sets CRITICAL to TRUE.
Your second eval sets CRITICAL to FALSE as your third one does.
You can solve your problem by using a case statement:
| eval CRITICAL=case(Impact="1-Extensive" AND Urgency="1-Critical",1,
Impact="2-Significant" AND Urgency="1-Critical",1,
Impact="1-Extensive" AND Urgency="2-High",1,
1=1,0)
repeat above approach with your eval HIGH, MEDIUM and LOW
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=itsm
~truncated~
| eval Impact_value=substr(Impact,1,1), Urgency_value=substr(Uragency,1,1)
| eval status=case(Impact_value <= 2 AND Impact_value + Urgency_value <= 3,"CRITICAL"
,Impact_value <= 2 AND Impact_value + Urgency_value <= 5,"HIGH"
,Impact_value <= 4 AND Impact_value + Urgency_value <= 6,"MEDIUM"
,ture(),"LOW")
| stats count values(Impact) as Impact values(Urgency) as Urgency by Incident_Number status
| eval {status} = count
| fields - status count
| table Incident_Number Impact Urgency CRITICAL HIGH MEDIUM LOW
| fillnull CRITICAL HIGH MEDIUM LOWThe case sentence is easier to understand here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
query is helpful , but seems little complex in initial state. but it worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having repeated eval statements setting the same field means only the last one matters. Try using case, instead.
index=itsm
~truncated~
| eval CRITICAL=case(Impact="1-Extensive" AND Urgency="1-Critical",1, Impact="2-Significant" AND Urgency="1-Critical",1, Impact="1-Extensive" AND Urgency="2-High",1,1==1,0)
| eval HIGH=case(Impact="2-Significant" AND Urgency="3-Medium",1,
Impact="2-Significant" AND Urgency="4-Low",1, Impact="2-Significant" AND Urgency="2-High",1, Impact="1-Extensive" AND Urgency="3-Medium",1, Impact="1-Extensive" AND Urgency="4-Low",1, 1==1, 0)
| eval MEDIUM=case(Impact="3-Moderate" AND Urgency="1-Critical",1,
Impact="3-Moderate" AND Urgency="2-High",1, Impact="3-Moderate" AND Urgency="3-Medium",1, Impact="4-Minor" AND Urgency="1-Critical",1, Impact="4-Minor" AND Urgency="2-High",1, 1==1, 0)
| eval LOW=case(Impact="3-Moderate" AND Urgency="4-Low",1, Impact="4-Minor" AND Urgency="4-Low",1, Impact="4-Minor" AND Urgency="3-Medium",1, 1==1, 0)
| table Incident_Number, Impact, Urgency, CRITICAL, HIGH, MEDIUM, LOW
If this reply helps you, Karma would be appreciated.
Index This | When is October more than just the tenth month?
Observe and Secure All Apps with Splunk
What’s New & Next in Splunk SOAR
