Splunk Search

How do I use a value in an existing field to create a new field and assign output values?

ejohn
Path Finder

I'm trying to create a new field called TYPE, which is dependent on the word "summary" or "detail" appearing in the TITLE field, so I can then count by TYPE.

I successfully filtered my logs to identify reports with "summary" or "detail" in the title:

|search(title="*summary*" OR "*detail*")

Then, I tried to create TYPE and set its output values to "Report Summary" or "Detailed Report":

|eval type=if(match(title,"*summary*"), "Report Summary", match(title, "*detail*"), "Detailed Report")

I also tried doing a field extraction, but the title field does not appear in the Select Fields box to be highlighted.

I'm stuck. Please help!

0 Karma
1 Solution

woodcock
Esteemed Legend

Your stacked if should really be a case and your RegEx like this:

index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
                 match(title, "(?i)detail"), "Detailed Report",
                 true(), "THIS SHOULD NEVER EVER HAPPEN")

View solution in original post

jkat54
SplunkTrust
SplunkTrust

@ejohn, since both answers worked, why don't you choose the one that runs the quickest, or consumes the least CPU/RAM or whatever you like, and then mark it as the answer and upvote both?

0 Karma

ejohn
Path Finder

@jkat54, thanks for the suggestion. I decided to accept the answer with the higher EPS.

Adding each eval to the rest of my search against 10 months of logs in Verbose mode:

|eval type=case(match(title...) returned 14,190 EPS

and

|eval type=if(match(title...)returned 13,408 EPS

ejohn
Path Finder

@jkat54 and @woodcock this is my first real attempt a crowdsourcing and I like it! You guys have been awesome!

jkat54
SplunkTrust
SplunkTrust

Hey @ejohn, anytime sir! That's what we do. Feel free to tag us when needed. @woodcock almost always has the best answer but I keep trying!

0 Karma

woodcock
Esteemed Legend

Your stacked if should really be a case and your RegEx like this:

index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
                 match(title, "(?i)detail"), "Detailed Report",
                 true(), "THIS SHOULD NEVER EVER HAPPEN")

ejohn
Path Finder

Thanks for the quick response!

I tried this with * and with .* for wildcards, but I get the following error:

  Error in 'eval' command: The arguments  to the 'searchmatch' function are invalid.
0 Karma

woodcock
Esteemed Legend

I was adding features to searchmatch in my mind! Try updated answer instead.

0 Karma

ejohn
Path Finder

I changed * to .* in the eval and it worked!

Thanks so much!

woodcock
Esteemed Legend

ARGH! You are right again. That's what I get for writing RegEx in my head. I will fix the original answer (the right answer is to not have the asterisks at all).

0 Karma

ejohn
Path Finder

That worked too!

0 Karma

DalJeanis
Legend

@ejohn - if it worked, please "accept" the answer so the question will show as complete.

jkat54
SplunkTrust
SplunkTrust

Match uses regular expressions so

* matches * and .* matches everything 

Try this instead:

 | eval type=if(match(title,".*summary.*"),"Report Summary",if(match(title, ".*detail.*"),"Detailed Report","Unknown Type"))

ejohn
Path Finder

Thanks for responding so quickly!

This is creating the TYPE field, but it's only returning the value "unknown type". Could this have something to do with special characters in the titles?

0 Karma

jkat54
SplunkTrust
SplunkTrust

As long as the titles are have lowercase summary or detail, it should work fine.

If summary can be upper or lower you can do this instead

  .*[sS][uU][mM][mM][aA][rR][yY].*

Same syntax for details.

0 Karma

ejohn
Path Finder

Once I capitalized summary and detail it worked. Now I know how to account for upper and lower too.

Thanks for the help!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...