Solved: Check the first character of a string with eval ca...

Chandras11 · ‎04-11-2018

Hi Team,
I want to create a new field REGIONID With following requrirements:-
If (TKTCREATOR ="IP-Z" OR "DEP-IP-Z")
REGIONID = "IpHW"
Else If (TKTCREATOR ="IP-Z" OR "DEP-IP-Z")
REGION_ID = "IP-CS"

index="Index1" sourcetype="XXX"| eval REGIONID = case((TKTCREATOR == "IP-Z" OR TKTCREATOR == "DEP-IP-Z"), "IpHW", (TKTCREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS")

and this is working fine.

Now I would also like to check If First Character of another field "Name" is "X" then REGIONID = "XRegion" (in the same eval case statement). Is there a way to check the first character of a field value and assign other value to the new field REGION_ID.

kmaron · ‎04-11-2018

index="Index1" sourcetype="XXX" 
| eval firstCharOfName=substr(Name,1,1) 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS", firstCharOfName=="X", "X_Region")

If you extract the first character of Name using an eval into a field firstCharofName then you should be able to add that to your case.

mayurr98 · ‎04-11-2018

hey Try this

index="Index1" sourcetype="XXX" 
| eval REGION_ID = case((TKT_CREATOR == "IP-Z" OR TKT_CREATOR == "DEP-IP-Z"), "IpHW", (TKT_CREATOR== "IP-W" OR TKT_CREATOR == "DEP-IP-W"), "IP-CS",substr(Name,1,1)="X","X_Region")

let me know if this helps!

View solution in original post

Chandras11 · ‎04-11-2018

super, thank you 🙂

kmaron · ‎04-11-2018

I didn't think to put the substr right in the case. I like that!

Check the first character of a string with eval case

Re: Check the first character of a string with eval case

Re: Check the first character of a string with eval case

Re: Check the first character of a string with eval case

Re: Check the first character of a string with eval case