Solved: Re: Eval a field twice based on index name

bleung93 · ‎04-04-2014

I have a field totalVolumeGB thats value is based on the eval below. I want to eval the same field, but with a filter based on the index field.

The index field is essentially index=*.

... | eval totalVolumeGB=10*(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024

I want to add this to the previous query, when my "index=summary_*"

... | eval totalVolumeGB=23*(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024

somesoni2 · ‎04-04-2014

try this

   ... | eval totalVolumeGB=if(like(index,"summary_%"),23*(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024,10*(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024) | ...

OR

... | eval totalVolumeGB =(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024| eval totalVolumeGB=if(like(index,"summary_%"),23*totalVolumeGB ,10*totalVolumeGB ) | ...

View solution in original post

aelliott · ‎04-04-2014

how about something like this:
... | eval num=if(like(index,"summary_%"),23,10) | eval totalVolumeGB=num*(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024

somesoni2 · ‎04-04-2014

try this

   ... | eval totalVolumeGB=if(like(index,"summary_%"),23*(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024,10*(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024) | ...

OR

... | eval totalVolumeGB =(homePath_maxDataSizeMB+coldPath_maxDataSizeMB)/1024| eval totalVolumeGB=if(like(index,"summary_%"),23*totalVolumeGB ,10*totalVolumeGB ) | ...

somesoni2 · ‎04-04-2014

Thanks @aelliott for pointing it out. corrected now.

Eval a field twice based on index name

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!