Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field name and value to another Field name with different value

kyi
Explorer
‎05-11-2023 08:18 PM

Hello All,

We have a extracted field (example field name "Field1) with multiple value such as YYN, YNN, NYN etc.

Based on the current field and field value, would like to have "NewFieldName" and match the result as below smaple.

 

Sample

Field1 NewFieldName

YYN "OK"

YNN "NOT OK"

NYN "NOT OK"

 

Thanks🙏

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-11-2023 10:07 PM

Hi @kyi 

You sure can.  Something like this run anywhere example 

| makeresults
| eval field1=split("YYN,YNN,NYN,YYY", ",")
| mvexpand field1
 ``` above creates dummy events and is not needed ```
  ``` example below ```
| eval NewFieldName=case(field1="YYN", "OK", field1="YNN", "NOT OK", field1="NYN", "NOT OK", true(), "No match")
| table field1 NewFieldName

 Hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-11-2023 10:07 PM

Hi @kyi 

You sure can.  Something like this run anywhere example 

| makeresults
| eval field1=split("YYN,YNN,NYN,YYY", ",")
| mvexpand field1
 ``` above creates dummy events and is not needed ```
  ``` example below ```
| eval NewFieldName=case(field1="YYN", "OK", field1="YNN", "NOT OK", field1="NYN", "NOT OK", true(), "No match")
| table field1 NewFieldName

 Hope it helps

Reply
Solved! Jump to solution

kyi
Explorer
‎05-11-2023 10:34 PM

Thank You for your quick response and solution.

Apart from using Eval in the search, any other option we can use for matching? 

For example: every time extracted field1 with value we can directly use NewFieldName and it matching value?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-11-2023 10:03 PM

You have not explained the logic to assign OK or not OK.  You haven't even explained whether your real data is just three characters.  If it is just that YYN has two "Y"s, this will do

| eval char = split(field1, "")
| stats count by field1 char
| where char == "Y"
| eval NewFieldName = if(count == 2, "OK", "NOT OK")

 

 

Reply
Solved! Jump to solution

kyi
Explorer
‎05-11-2023 10:30 PM

Thanks for you information, will do more explanation next time. 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...