Splunk Enterprise

assign values to multiple variables with the case command

antonio147
Communicator

hi,
I have a question to ask: can you assign values to multiple variables in Splunk with the case command?
I need that based on a filter chosen in the dashboard, it performs a different search based on what has been selected.
I have a filter with options: red, green, yellow, blue, black
If you choose red, the search must be:
search field1 = A AND field2 = B
if you choose green:
search field1 = C AND field2 = D AND field3 = E
if you choose yellow:
search field1 = X AND field2 = Y
.....
I wanted to use a case like:
eval KK, HH, JJ = case (
color = "red", KK = A, HH = B, JJ = "",
color = "green", KK = C, HH = D, JJ = E,
color = "yellow", KK = X, HH = Y, JJ = "",
1 = 1, "INV")

It can be done?
Or do I have to use as many cases as there are variables I need in the search?

Tks
Bye
Antonio

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Something like this

| eval mv = case (
color = "red", mvappend(A,B,""),
color = "green", mvappend(C,D,E),
color = "yellow", mvappend(X,Y,""),
1 = 1, mvappend("INV","INV","INV"))
eval KK = mvindex(mv,0), HH = mvindex(mv,1), JJ = mvindex(mv,2)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

You can only assign to one field at a time - having said that, you could assign as a multi-value field and then use mvindex to assign the various parts to their respective fields.

antonio147
Communicator

Hi ITWishperer,
Thanks for the reply.
That was what I was afraid of, I tried to search the community but to no avail.
Can you give me an example?
I haven't used mvindex yet, if I understand correctly, do I create a new field with the values I need and then do the split? to have the values separated and with coalesce do I check when it is null?

Tks

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Something like this

| eval mv = case (
color = "red", mvappend(A,B,""),
color = "green", mvappend(C,D,E),
color = "yellow", mvappend(X,Y,""),
1 = 1, mvappend("INV","INV","INV"))
eval KK = mvindex(mv,0), HH = mvindex(mv,1), JJ = mvindex(mv,2)

antonio147
Communicator

I had tried something like this but without mvappend .... 🙂
Tks for your solution so it works great !!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...