- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk_rocks
Path Finder
06-13-2018
10:30 AM
I have fields like Uid and Case If the case is authentication then then my new field has to show Uid number.
Case. uid
authentication 12r345567
signoff z234567
signoff rt34567
authentication 34r56789
authentication 24r56789
Im just trying to write eval statement like eval New_UId = if(match(case=authentication "uid", "None" )
but could not make it so just posting here ..
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-13-2018
10:41 AM
try this run anywhere search:
| makeresults |eval uid=1, case1="authentication"|eval New_UId = if(case1=="authentication" ,uid, "None" )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-13-2018
10:41 AM
try this run anywhere search:
| makeresults |eval uid=1, case1="authentication"|eval New_UId = if(case1=="authentication" ,uid, "None" )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk_rocks
Path Finder
06-13-2018
11:40 AM
Thanks bud it worked ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mdsnmss
SplunkTrust
06-13-2018
10:34 AM
You should be able to create a calculated field that is just if(case=authentication,uid,"None")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk_rocks
Path Finder
06-13-2018
11:41 AM
Thank you mdsnmss
