Splunk Search

How do you use the eval command when the field value contains multiple variables?

jacqu3sy
Path Finder

Hi,

How do I use the eval statement when the field value could contain multiple variables?

so for example my field "OS" could be;

Windows XP
Windows 7
Windows 10
Server 2003
Server2008

I want to use an eval to create two new fields; one for server OS and another for desktop OS

So something like

| eval server=if(OS="Server 2003" OR OS="Server2008")
| eval desktop=if(OS="Windows XP" OR OS="Windows 10")

Thanks.

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Try case

<yourBaseSearch>
| eval os_type=case(OS == "Windows XP" OR OS == "Windows 7" OR OS == "Windows 10", "desktop", OS == "Server 2003" OR OS == "Server2008", "server")

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Try case

<yourBaseSearch>
| eval os_type=case(OS == "Windows XP" OR OS == "Windows 7" OR OS == "Windows 10", "desktop", OS == "Server 2003" OR OS == "Server2008", "server")
0 Karma

jacqu3sy
Path Finder

worked like a charm. thanks.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Great, you are welcome

0 Karma

DMohn
Motivator

You could use either match or like as an eval function here ...

 | eval is_server = if(like(OS, "Server%"),"1","0")
 | eval is_desktop = if(like(OS, "Windows%"),"1","0")

Like uses a SQL-like wildcard matching. You can get even more flexibility with match - which uses regex...

 | eval is_server = if(match(OS, "Server\s?[\d]{4}"),"1","0")
 | eval is_desktop = if(like(OS, "Windows"),"1","0")

Hope this helps ...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...