Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to have Field Values represent other field values?

thomastaylor
Communicator
‎05-24-2018 02:01 PM

Hello all!

I apologize for the oddly worded question. Currently, I have extracted fields from two separate log formats that provide different spellings of field values.

Examples:

Field Name: Status
Field Values: ERROR, INFO, CRITICAL, err, info

Since info and INFO are not the same string, this will provide two different metrics to work with. I would like to know if there is someway to merge the "info" into the "INFO" so that it's only seen as one metric. The same applies with err to ERROR as well. And, if there is no way to do this other than by a saved search, I can do that as well. Just let me know!

Thanks you so much for your time!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thomastaylor
Communicator
‎05-25-2018 06:18 AM

Thank you for your answer!

We actually found a work-around solution where we tagged the statuses as "INFO" and "ERROR" for all the different log formats. We then did the search: index="main" | timechart count by tag::status and it achieved what we wanted.

View solution in original post

Reply
Solved! Jump to solution

TISKAR
Builder
‎05-25-2018 06:33 AM

Hello,

You can use the tag or alias in Splunk, that acn help you to manage and organise your data

Regards

0 Karma
Reply
Solved! Jump to solution
Solution

thomastaylor
Communicator
‎05-25-2018 06:18 AM

Thank you for your answer!

We actually found a work-around solution where we tagged the statuses as "INFO" and "ERROR" for all the different log formats. We then did the search: index="main" | timechart count by tag::status and it achieved what we wanted.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-25-2018 08:29 AM

This is a great solution for problems like this. I've converted your comment as Answer so that you can accept this. Others with similar problem would then know that a working solution is available.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-24-2018 02:25 PM

Do the distinct field Values are finite list? If yes, you can add a case statement in your search to normalize the values. e.g.

...| eval Status=case(match(Status,"^(?i)(ERR)"),"ERROR",match(Status,"^(?i)(INFO)"),"INFO",..other values )
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...