Solved: How do you use the eval command when the field val...

jacqu3sy · ‎02-05-2019

Hi,

How do I use the eval statement when the field value could contain multiple variables?

so for example my field "OS" could be;

Windows XP
Windows 7
Windows 10
Server 2003
Server2008

I want to use an eval to create two new fields; one for server OS and another for desktop OS

So something like

| eval server=if(OS="Server 2003" OR OS="Server2008")
| eval desktop=if(OS="Windows XP" OR OS="Windows 10")

Thanks.

harsmarvania57 · ‎02-05-2019

Hi,

Try case

<yourBaseSearch>
| eval os_type=case(OS == "Windows XP" OR OS == "Windows 7" OR OS == "Windows 10", "desktop", OS == "Server 2003" OR OS == "Server2008", "server")

View solution in original post

harsmarvania57 · ‎02-05-2019

Hi,

Try case

<yourBaseSearch>
| eval os_type=case(OS == "Windows XP" OR OS == "Windows 7" OR OS == "Windows 10", "desktop", OS == "Server 2003" OR OS == "Server2008", "server")

jacqu3sy · ‎02-05-2019

worked like a charm. thanks.

harsmarvania57 · ‎02-05-2019

Great, you are welcome

DMohn · ‎02-05-2019

You could use either match or like as an eval function here ...

 | eval is_server = if(like(OS, "Server%"),"1","0")
 | eval is_desktop = if(like(OS, "Windows%"),"1","0")

Like uses a SQL-like wildcard matching. You can get even more flexibility with match - which uses regex...

 | eval is_server = if(match(OS, "Server\s?[\d]{4}"),"1","0")
 | eval is_desktop = if(like(OS, "Windows"),"1","0")

Hope this helps ...

How do you use the eval command when the field value contains multiple variables?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...