Splunk Search

Analyzing fields and concatenating results into new field

msarro
Builder

Greetings. I am working on a project to take in several fields of data. I would like to analyze each field of a record, and based on its results, place a comment in a new "Notes" field. This way a viewer can easily tell what happened without having to look at a ton of numbers. So, in a simplest case imagine you had three latencies in a csv:
1, 100, 11

If the goal was to have all be below 10. You could run a case statement against the first field, and since it was below 10, it wouldn't do anything. Then checking the second field it would be incredibly out of range, so a note saying "Latency 2 excessively high.\n" (including a newline, if that is possible). Then it would check the third field and place a note in the notes field stating "Latency 3 marginally above threshold."

So in the end the contents of the "notes" field would say:

Latency 2 excessively high.
Latency 3 marginally above threshold.

Is this possible? Any ideas on how to accomplish it? In my case I will be analyzing approximately ~20 fields, each will be analyzed with a case statement or an IF statement. I have not yet written the test cases.

Tags (1)

sideview
SplunkTrust
SplunkTrust

the conditional eval logic at the simplest level would look like:

| eval notes=if(field2>=10,notes+"\nLatency 2 marginally above threshold",notes)

but it can be nested. Here a longer statement catches both the "excessively" case and the "marginally above" case.

| eval notes=if(field2>=100,notes+"\nLatency 2 excessively high",if(field2>=10,notes+"\nLatency 2 marginally above threshold",notes))

Indeed, you might want to use the case syntax because it's cleaner across the 20 fields. However to avoid the marginal errors getting repeated, you probably want to still nest the logic, either inside raw evals like this or inside your cases.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...