Re: How to create a field with selected values of ...

umsundar2015 · ‎11-22-2018

Hi ,

I have OS field which has many rows .In that i need to filter only the below values and create a field ,
Windows Server 2012 R2 Standard
Windows 7
Windows Server 2012
Windows 7 Enterprise
Windows 10
Microsoft Windows Server 2008 R2 Standard
Microsoft Windows Server 2008 R2 Enterprise
Microsoft Windows 2008 Server Standard
Windows 8
Windows 10 Enterprise

When i use match function like ,
eval OS=mvfilter(match(OS,"Windows Server 2012 R2 Standard") OR match(OS,"Windows Server 2012") OR match(OS,"Windows 7")) |stats count by OS

I am getting other values "Windows 7 embedded " also which i dont need in the list of values.

Please help to filter the exact values which i needed above.

Thanks .

vik_splunk · ‎11-23-2018

Hi @umsundar2015

A few different ways to do this.

1)Using replace : If your "other" options are limited, you could do something like below

|replace "Windows 7 embedded" WITH "Windows 7" IN OS (You can use wild characters and multiple values to replace in one single command.

Reference here : http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Replace

2)Using eval case : Spinning up an example without sample data is going to be difficult but a sample query will look like

|eval OS=case(match(OS,"Windows 7 embedded"),"Windows 7,..... series of such match functions(or can use simple OS==),finally a default match)

Reference here: http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/ConditionalFunctions

Hope that helps!

vik_splunk · ‎01-21-2019

If this answerd your question @umsundar2015, please mark it as closed/upvote.

How to create a field with selected values of the same field

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?