Splunk Search

How do I use a value in an existing field to create a new field and assign output values?

Path Finder

I'm trying to create a new field called TYPE, which is dependent on the word "summary" or "detail" appearing in the TITLE field, so I can then count by TYPE.

I successfully filtered my logs to identify reports with "summary" or "detail" in the title:

|search(title="*summary*" OR "*detail*")

Then, I tried to create TYPE and set its output values to "Report Summary" or "Detailed Report":

|eval type=if(match(title,"*summary*"), "Report Summary", match(title, "*detail*"), "Detailed Report")

I also tried doing a field extraction, but the title field does not appear in the Select Fields box to be highlighted.

I'm stuck. Please help!

0 Karma
1 Solution

Esteemed Legend

Your stacked if should really be a case and your RegEx like this:

index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
                 match(title, "(?i)detail"), "Detailed Report",
                 true(), "THIS SHOULD NEVER EVER HAPPEN")

View solution in original post

SplunkTrust
SplunkTrust

@ejohn, since both answers worked, why don't you choose the one that runs the quickest, or consumes the least CPU/RAM or whatever you like, and then mark it as the answer and upvote both?

0 Karma

Path Finder

@jkat54, thanks for the suggestion. I decided to accept the answer with the higher EPS.

Adding each eval to the rest of my search against 10 months of logs in Verbose mode:

|eval type=case(match(title...) returned 14,190 EPS

and

|eval type=if(match(title...)returned 13,408 EPS

Path Finder

@jkat54 and @woodcock this is my first real attempt a crowdsourcing and I like it! You guys have been awesome!

SplunkTrust
SplunkTrust

Hey @ejohn, anytime sir! That's what we do. Feel free to tag us when needed. @woodcock almost always has the best answer but I keep trying!

0 Karma

Esteemed Legend

Your stacked if should really be a case and your RegEx like this:

index=YouShouldAlwaysSpeciryAnIndex sourcetype=AndSourcetypeToo title="*summary*" OR "*detail*"
| eval type=case(match(title, "(?i)summary"), "Report Summary",
                 match(title, "(?i)detail"), "Detailed Report",
                 true(), "THIS SHOULD NEVER EVER HAPPEN")

View solution in original post

Path Finder

Thanks for the quick response!

I tried this with * and with .* for wildcards, but I get the following error:

  Error in 'eval' command: The arguments  to the 'searchmatch' function are invalid.
0 Karma

Esteemed Legend

I was adding features to searchmatch in my mind! Try updated answer instead.

0 Karma

Path Finder

I changed * to .* in the eval and it worked!

Thanks so much!

Esteemed Legend

ARGH! You are right again. That's what I get for writing RegEx in my head. I will fix the original answer (the right answer is to not have the asterisks at all).

0 Karma

Path Finder

That worked too!

0 Karma

SplunkTrust
SplunkTrust

@ejohn - if it worked, please "accept" the answer so the question will show as complete.

SplunkTrust
SplunkTrust

Match uses regular expressions so

* matches * and .* matches everything 

Try this instead:

 | eval type=if(match(title,".*summary.*"),"Report Summary",if(match(title, ".*detail.*"),"Detailed Report","Unknown Type"))

Path Finder

Thanks for responding so quickly!

This is creating the TYPE field, but it's only returning the value "unknown type". Could this have something to do with special characters in the titles?

0 Karma

SplunkTrust
SplunkTrust

As long as the titles are have lowercase summary or detail, it should work fine.

If summary can be upper or lower you can do this instead

  .*[sS][uU][mM][mM][aA][rR][yY].*

Same syntax for details.

0 Karma

Path Finder

Once I capitalized summary and detail it worked. Now I know how to account for upper and lower too.

Thanks for the help!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!