Splunk Search

How to map one string result to another string using Splunk query?

ABHAYA
Path Finder

for e.g.

input :   I am getting result in an table format like  statuscodeUSB   35 but i wan to transform the result into some thing  like Us Bank    35.

Basically I want to implement logic something like this

 if  statuscodeUSB  then  return Usbank

if statuscodeIND then return indian bank

 

can anyone suggest smething on this

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Assuming statuscodeUSB and statuscodeIND have been extract into a field called statuscode, you could do something like this

| eval statuscode=case(statuscode="statuscodeUSB", "Usbank", statuscode="statuscodeIND", "indian bank", 1==1, statuscode)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Assuming statuscodeUSB and statuscodeIND have been extract into a field called statuscode, you could do something like this

| eval statuscode=case(statuscode="statuscodeUSB", "Usbank", statuscode="statuscodeIND", "indian bank", 1==1, statuscode)

ABHAYA
Path Finder

for 2nd  value it is  still displaying old value for e.g. i can see statuscodeIND not Indian bank after writing the eval expression. I  have one more question can eval expression works only for two values or more than  two values also.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The case function will work for multiple values although there may be a line length limit (not sure what that might be), and the case function has to be all on one line. although it can wrap in some editors.

ABHAYA
Path Finder

The above  query worked some how buy adding one more default value in the field called status Code.Not sure what is the concept behind that.Anyway  Thanks @ITWhisperer 

0 Karma

ABHAYA
Path Finder
it is working for only 1st value.
0 Karma

enzomialich
Path Finder

I believe you could use a lookup table. Create a column that matches the extracted field and another column with the additional field information. something like

statuscode     bank                (headers)
statuscodeUSB    Usbank

statuscodeIND      Indianbank

See the docs: https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...

 

And, have you tried the rename command? | rename <wc-field> AS <wc-field>...

 

 

0 Karma

ABHAYA
Path Finder

I tried with rename command but it was not working. The input format I shared i.e. actually the result of rex  expression.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...