Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can I add constant field/value conditionally?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following query:
"MyToken" status >= 400
| stats count by status,action
That produces a table like :
| status | action | count |
| 404 | action1 | 20 |
| 500 | action2 | 30 |
| 400 | action3 | 50 |
I would like to add a constant "description" depending on the status so that for example the output looks like :
| status | action | count | description |
| 404 | action1 | 20 | NOT FOUND |
| 500 | action2 | 30 | INTERNAL ERROR |
| 400 | action3 | 50 | INVALID Request |
The description should map from the status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yk010123 ,
You may use the following eval case to map the description with your status code,
| eval description=case(status=="404","NOT FOUND",status==500,"INTERNAL ERROR",status=="400","INVALID Request",1=1,"NULL")Kindly support the answer if found helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yk010123 ,
You may use the following eval case to map the description with your status code,
| eval description=case(status=="404","NOT FOUND",status==500,"INTERNAL ERROR",status=="400","INVALID Request",1=1,"NULL")Kindly support the answer if found helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yk010123, you can map a lookup file to the status codes using the following command:
| lookup http_status_codes_lookup.csv status OUTPUT description
This assumes you have a lookup file containing the fields status and description. If you don't yet have a lookup, you can add one through settings, lookups. You could start by getting a prefilled csv file at iana:
https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
or
https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv
You can read more about adding lookups over here:
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
