Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Check the first character of a string with eval case

Chandras11
Communicator
‎04-11-2018 05:36 AM

Hi Team,
I want to create a new field REGION_ID With following requrirements:-
If (TKT_CREATOR ="IP-Z" OR "DEP-IP-Z")
REGION_ID = "IpHW"
Else If (TKT_CREATOR ="IP-Z" OR "DEP-IP-Z")
REGION_ID = "IP-CS"

index="Index1" sourcetype="XXX"| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS")

and this is working fine.

Now I would also like to check If First Character of another field "Name" is "X" then REGION_ID = "X_Region" (in the same eval case statement). Is there a way to check the first character of a field value and assign other value to the new field REGION_ID.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎04-11-2018 05:59 AM

hey Try this

index="Index1" sourcetype="XXX" 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS",substr(Name,1,1)="X","X_Region")

let me know if this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎04-11-2018 05:59 AM

hey Try this

index="Index1" sourcetype="XXX" 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS",substr(Name,1,1)="X","X_Region")

let me know if this helps!

Reply
Solved! Jump to solution

kmaron
Motivator
‎04-11-2018 07:01 AM

I didn't think to put the substr right in the case. I like that!

0 Karma
Reply
Solved! Jump to solution

Chandras11
Communicator
‎04-11-2018 06:02 AM

super, thank you 🙂

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎04-11-2018 05:53 AM 
index="Index1" sourcetype="XXX" 
| eval firstCharOfName=substr(Name,1,1) 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS", firstCharOfName=="X", "X_Region")

If you extract the first character of Name using an eval into a field firstCharofName then you should be able to add that to your case.

Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...