Splunk Search

How to check for the same values in a field and replace another field with specific text

FyazIkram834
Engager

So currently  i have:

|Name                     | Branch                    | Age

---------------------------------------------------------
|   Tom                     |  USA                          | 21
|   Tom                     |  India                         | 23
|    Pat                      |  India                         | 26

If someone can please show me how to find the "Tom" matches on the "Name" field and then change the branches to USA for both the toms. 
Thanks.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eventstats count by Name
| eval Branch=if(count>1,"USA",Branch)

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@FyazIkram834 

Can you please try this?

YOUR_SEARCH | eventstats values(Branch) as Branches by Name
| eval Branch=if(mvfind(Branches,"USA")>0,"USA",Branch) | fields - Branches

 

My Sample Search :

| makeresults | eval _raw="Name,Branch,Age
Tom,USA,21
Tom,India,23
Pat,India,26" | multikv forceheader=1
| table Name,Branch,Age | eventstats values(Branch) as Branches by Name
| eval Branch=if(mvfind(Branches,"USA")>0,"USA",Branch) | fields - Branches


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval Branch=if(Name="Tom","USA",Branch)
0 Karma

FyazIkram834
Engager

@ITWhisperer . There are more than just one same Name. like there are more different matching names. I just gave that as an example. Thanks.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I guessed as much so you will have to give more information, for example, do you want all matching names to be USA branch? Do you want all matching names to be the first branch? If so, what determines first?

0 Karma

FyazIkram834
Engager

Yes i would like to have all matching names to be USA branch. @ITWhisperer 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eventstats count by Name
| eval Branch=if(count>1,"USA",Branch)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...