Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field name and value to another Field name with different value

kyi
Explorer
‎05-11-2023 08:18 PM

Hello All,

We have a extracted field (example field name "Field1) with multiple value such as YYN, YNN, NYN etc.

Based on the current field and field value, would like to have "NewFieldName" and match the result as below smaple.

 

Sample

Field1 NewFieldName

YYN "OK"

YNN "NOT OK"

NYN "NOT OK"

 

Thanks🙏

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-11-2023 10:07 PM

Hi @kyi 

You sure can.  Something like this run anywhere example 

| makeresults
| eval field1=split("YYN,YNN,NYN,YYY", ",")
| mvexpand field1
 ``` above creates dummy events and is not needed ```
  ``` example below ```
| eval NewFieldName=case(field1="YYN", "OK", field1="YNN", "NOT OK", field1="NYN", "NOT OK", true(), "No match")
| table field1 NewFieldName

 Hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-11-2023 10:07 PM

Hi @kyi 

You sure can.  Something like this run anywhere example 

| makeresults
| eval field1=split("YYN,YNN,NYN,YYY", ",")
| mvexpand field1
 ``` above creates dummy events and is not needed ```
  ``` example below ```
| eval NewFieldName=case(field1="YYN", "OK", field1="YNN", "NOT OK", field1="NYN", "NOT OK", true(), "No match")
| table field1 NewFieldName

 Hope it helps

Reply
Solved! Jump to solution

kyi
Explorer
‎05-11-2023 10:34 PM

Thank You for your quick response and solution.

Apart from using Eval in the search, any other option we can use for matching? 

For example: every time extracted field1 with value we can directly use NewFieldName and it matching value?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-11-2023 10:03 PM

You have not explained the logic to assign OK or not OK.  You haven't even explained whether your real data is just three characters.  If it is just that YYN has two "Y"s, this will do

| eval char = split(field1, "")
| stats count by field1 char
| where char == "Y"
| eval NewFieldName = if(count == 2, "OK", "NOT OK")

 

 

Reply
Solved! Jump to solution

kyi
Explorer
‎05-11-2023 10:30 PM

Thanks for you information, will do more explanation next time. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...