Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Check the first character of a string with eval case

Chandras11
Communicator
‎04-11-2018 05:36 AM

Hi Team,
I want to create a new field REGION_ID With following requrirements:-
If (TKT_CREATOR ="IP-Z" OR "DEP-IP-Z")
REGION_ID = "IpHW"
Else If (TKT_CREATOR ="IP-Z" OR "DEP-IP-Z")
REGION_ID = "IP-CS"

index="Index1" sourcetype="XXX"| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS")

and this is working fine.

Now I would also like to check If First Character of another field "Name" is "X" then REGION_ID = "X_Region" (in the same eval case statement). Is there a way to check the first character of a field value and assign other value to the new field REGION_ID.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎04-11-2018 05:59 AM

hey Try this

index="Index1" sourcetype="XXX" 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS",substr(Name,1,1)="X","X_Region")

let me know if this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎04-11-2018 05:59 AM

hey Try this

index="Index1" sourcetype="XXX" 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS",substr(Name,1,1)="X","X_Region")

let me know if this helps!

Reply
Solved! Jump to solution

kmaron
Motivator
‎04-11-2018 07:01 AM

I didn't think to put the substr right in the case. I like that!

0 Karma
Reply
Solved! Jump to solution

Chandras11
Communicator
‎04-11-2018 06:02 AM

super, thank you 🙂

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎04-11-2018 05:53 AM 
index="Index1" sourcetype="XXX" 
| eval firstCharOfName=substr(Name,1,1) 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS", firstCharOfName=="X", "X_Region")

If you extract the first character of Name using an eval into a field firstCharofName then you should be able to add that to your case.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...