- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
I'm trying to create a new field called TYPE, which is dependent on the word "summary" or "detail" appearing in the TITLE field, so I can then count by TYPE.
I successfully filtered my logs to identify reports with "summary" or "detail" in the title:
|search(title="*summary*" OR "*detail*")
Then, I tried to create TYPE and set its output values to "Report Summary" or "Detailed Report":
|eval type=if(match(title,"*summary*"), "Report Summary", match(title, "*detail*"), "Detailed Report")
I also tried doing a field extraction, but the title field does not appear in the Select Fields box to be highlighted.
I'm stuck. Please help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
Your stacked if
should really be a case
and your RegEx like this:
index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
match(title, "(?i)detail"), "Detailed Report",
true(), "THIS SHOULD NEVER EVER HAPPEN")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
@ejohn, since both answers worked, why don't you choose the one that runs the quickest, or consumes the least CPU/RAM or whatever you like, and then mark it as the answer and upvote both?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
@jkat54, thanks for the suggestion. I decided to accept the answer with the higher EPS.
Adding each eval
to the rest of my search against 10 months of logs in Verbose mode:
|eval type=case(match(title...)
returned 14,190 EPS
and
|eval type=if(match(title...)
returned 13,408 EPS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
@jkat54 and @woodcock this is my first real attempt a crowdsourcing and I like it! You guys have been awesome!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hey @ejohn, anytime sir! That's what we do. Feel free to tag us when needed. @woodcock almost always has the best answer but I keep trying!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
Your stacked if
should really be a case
and your RegEx like this:
index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
match(title, "(?i)detail"), "Detailed Report",
true(), "THIS SHOULD NEVER EVER HAPPEN")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
Thanks for the quick response!
I tried this with * and with .* for wildcards, but I get the following error:
Error in 'eval' command: The arguments to the 'searchmatch' function are invalid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
I was adding features to searchmatch
in my mind! Try updated answer instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
I changed *
to .*
in the eval and it worked!
Thanks so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
ARGH! You are right again. That's what I get for writing RegEx in my head. I will fix the original answer (the right answer is to not have the asterisks at all).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
That worked too!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![DalJeanis DalJeanis](https://community.splunk.com/legacyfs/online/avatars/455764.jpg)
@ejohn - if it worked, please "accept" the answer so the question will show as complete.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Match uses regular expressions so
* matches * and .* matches everything
Try this instead:
| eval type=if(match(title,".*summary.*"),"Report Summary",if(match(title, ".*detail.*"),"Detailed Report","Unknown Type"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
Thanks for responding so quickly!
This is creating the TYPE field, but it's only returning the value "unknown type". Could this have something to do with special characters in the titles?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
As long as the titles are have lowercase summary or detail, it should work fine.
If summary can be upper or lower you can do this instead
.*[sS][uU][mM][mM][aA][rR][yY].*
Same syntax for details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ejohn ejohn](https://community.splunk.com/legacyfs/online/avatars/492202.jpg)
Once I capitalized summary and detail it worked. Now I know how to account for upper and lower too.
Thanks for the help!
![](/skins/images/396DDBEEAC295EB5FEC41FF128E8AC0A/responsive_peak/images/icon_anonymous_message.png)