Splunk Search

Field name and value to another Field name with different value

kyi
Explorer

Hello All,

We have a extracted field (example field name "Field1) with multiple value such as YYN, YNN, NYN etc.

Based on the current field and field value, would like to have "NewFieldName" and match the result as below smaple.

 

Sample

Field1 NewFieldName

YYN "OK"

YNN "NOT OK"

NYN "NOT OK"

 

Thanks🙏

Labels (2)
Tags (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @kyi 

You sure can.  Something like this run anywhere example 

| makeresults
| eval field1=split("YYN,YNN,NYN,YYY", ",")
| mvexpand field1
 ``` above creates dummy events and is not needed ```
  ``` example below ```
| eval NewFieldName=case(field1="YYN", "OK", field1="YNN", "NOT OK", field1="NYN", "NOT OK", true(), "No match")
| table field1 NewFieldName

 Hope it helps

View solution in original post

yeahnah
Motivator

Hi @kyi 

You sure can.  Something like this run anywhere example 

| makeresults
| eval field1=split("YYN,YNN,NYN,YYY", ",")
| mvexpand field1
 ``` above creates dummy events and is not needed ```
  ``` example below ```
| eval NewFieldName=case(field1="YYN", "OK", field1="YNN", "NOT OK", field1="NYN", "NOT OK", true(), "No match")
| table field1 NewFieldName

 Hope it helps

kyi
Explorer

Thank You for your quick response and solution.

Apart from using Eval in the search, any other option we can use for matching? 

For example: every time extracted field1 with value we can directly use NewFieldName and it matching value?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You have not explained the logic to assign OK or not OK.  You haven't even explained whether your real data is just three characters.  If it is just that YYN has two "Y"s, this will do

| eval char = split(field1, "")
| stats count by field1 char
| where char == "Y"
| eval NewFieldName = if(count == 2, "OK", "NOT OK")

 

 

kyi
Explorer

Thanks for you information, will do more explanation next time. 

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...