Splunk Search

Case condition to check 2 events on the same field

Ashwini008
Builder

Hi,

I want to write a case condition where i can check values from Range column.

For instance

If range for both cost & product is low the a new column should show value as low

If range for both Cost & Product = severe then New Column should show severe

If range for Cost=severe & Product=low OR if Cost=low & Product =severe Then New column = elevated

Ashwini008_0-1678430514762.png

Please suggest

Tags (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

What have you tried so far?

0 Karma

Ashwini008
Builder

@PickleRick  Tried Case condition with the existing field but only default condition is matching

Also, tried to get results in separate columns yet getting only default condition value i.e. 0

Field name differs in below code

 

| fillnull value=NA rangecost rangeproduct 
 | eval Valuecombine=case(((rangecost="low" AND Metric="Cost") AND (rangeproduct="low" AND Metric="Product")),"1",((rangecost="severe" AND Metric="Cost") AND (rangeproduct="severe" AND Metric="Product")),"2",((rangecost="low" AND Metric="Cost") AND (rangeproduct="severe" AND Metric="Product")),"3",((rangecost="severe" AND Metric="Cost") AND (rangeproduct="low" AND Metric="Product")),"4",1=1,0) 
| table Metric Application rangeproduct rangecost Valuecombine

 

| eval Valuecombine=case(rangeproduct="low" AND rangecost="low","1",rangeproduct="severe" AND rangecost="severe","2",rangeproduct="low" AND rangecost="severe","3",rangeproduct="severe" AND rangecost="low","4",1=1,0)

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. Different metrics are in separate events so you can't really do a single row eval to match/compare/whatever them. Also the requirement about adding a column where there are two separate rows seems a bit imprecise. Is there an additional field which "groups" the metrics? The Application field? If so, you should first use xyseries to combine different metrics to a single row by that identifier. Then you can use your eval with case or whatever you want.

| xyseries Application Metric range
0 Karma

Ashwini008
Builder

@PickleRick Thanks, But i need the result to be as before i.e. Metric Application range new column  and untable isnt working here. 

Ashwini008_0-1678438514721.png

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

But what meaning would the additional colum have to have if it was "attached" to only one parameter?

You want to have the same value in both rows? Do xyseries and then untable (yes, untable might be tricky if you have multiple columns; you'd need to "pack" and "unpack" them) or do eventstats.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...