Splunk Search

Add a column to search (stats)

rzpotschien
New Member

Hi there,

I have a table with some columns. Splunk should show a new column with a dynamic value.
When the value of source is Aruba than Splunk should fill the value in the new columns with ABC.
When the value of source is dell than Splunk should fill the value in the new columns with DEF.
and so on...

source="Aruba" OR source="dell" | table source
(simplified search)

Is it possible in Splunk?

Thanks in advance.

Splunk Version 6.3

Tags (1)
0 Karma

somesoni2
Revered Legend

I guess you're looking for an "EVAL - IF" OR "EVAL -CASE" statement

source="Aruba" OR source="dell" | table source | eval newfield=if(source="Aruba","ABC","DEF")

source="Aruba" OR source="dell" | table source | eval newfield=case(source="Aruba","ABC", source="dell" ,"DEF", 1=1, "Unknown" )
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...