Splunk Search

How to create a new field out of values of a current field?

Path Finder

I have a field with event IDs. Some of the IDs indicate an issue, while some of them indicate the opposite.

eventid=1 MalwareScanDown
eventid=2 MalwareScanUp
Eventid=3 SystemOffline
EventID=4 SystemOnline
EventID=5 PolicyUpdateFail
EventID=6 PolicyUpdateSuccuess

I want to create a pie chart that shows systems that have a latest status of good, or bad.

Is there a way to group the results of eventID=2,4,6 into a new field called good. Likewise, is there a way to group eventid 1,3,6 into a new field called bad?

0 Karma
1 Solution

Influencer

Something like this should work

... |eval Type= case(EventID==1 OR EventID==3 OR EventID==6, "Bad", EventID==2 OR EventID==4 OR EventID==5", "Good") | stats count by Type 

View solution in original post

Splunk Employee
Splunk Employee

Assuming for simplicity that your eventIDs are single digit, you could do something like this: | eval status=case(match(eventId,"[246]"),"good", 1=1,"bad")

If you want to prevent your searches from getting too convoluted, I would recommend creating a lookup table that lists all the eventIDs that are either good or bad, and defining a lookup that returns an appropriate default match.
So, if your lookup file has "good" eventIDs, return a default match of "bad" if the lookup fails and vice versa.

Many ways to skin this cat. 🙂

SplunkTrust
SplunkTrust

Try this

... | eval status=case(eventid=1,"bad",eventid=2,"good", eventid=3,"bad", eventid=4,"good", eventid=5,"bad", eventid=6,"good") | chart count by status

Or this

... | eval good=if(eventid=1 OR eventid=3 OR eventid=5, 1, 0), eval bad=if(eventid=2 OR eventid=4 OR eventid =6, 1, 0) | ...
---
If this reply helps you, an upvote would be appreciated.

Path Finder

The first option works. I like the second one better, but I get an error on the search when I run that. "Error in 'eval' command: The arguments to the 'if' function are invalid."

0 Karma

SplunkTrust
SplunkTrust

I've corrected the second option.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Influencer

Something like this should work

... |eval Type= case(EventID==1 OR EventID==3 OR EventID==6, "Bad", EventID==2 OR EventID==4 OR EventID==5", "Good") | stats count by Type 

View solution in original post