conditional statements based on values with eval

shivareddysompa · ‎07-09-2020

i have date like below.

User Points gain

a 1004

b 900

c 850

d 700

e 600

i want to create new column based on Points gain like

if User got > 1000 then Expert, 850 to 1000 then Master, 700 to 850 average , <700 Slow

Thanks

richgalloway · ‎07-09-2020

You can do that with eval and case.

... | eval rank=case('Points gain'>1000, "Expert", 'Points gain'>=850, "Master", 'Points gain'>=700, "average", 1==1, "Slow")

---
If this reply helps you, Karma would be appreciated.

shivareddysompa · ‎07-09-2020

i tried same but not worked out here

richgalloway · ‎07-10-2020

It works here. What version of Splunk are you using?

| makeresults 
| eval _raw="User                        Points gain
a                                 1004
b                                  900
c                                  850
d                                  700
e                                  600" | multikv forceheader=1 | rename gain as "Points gain"
`comment("Above creates test data")`
| eval rank=case('Points gain'>1000, "Expert", 'Points gain'>=850, "Master", 'Points gain'>=700, "average", 1==1, "Slow")

---
If this reply helps you, Karma would be appreciated.

conditional statements based on values with eval

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?