Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to map one string result to another string using Splunk query?

ABHAYA
Path Finder
‎05-10-2023 05:09 AM

for e.g.

input :   I am getting result in an table format like  statuscodeUSB   35 but i wan to transform the result into some thing  like Us Bank    35.

Basically I want to implement logic something like this

 if  statuscodeUSB  then  return Usbank

if statuscodeIND then return indian bank

 

can anyone suggest smething on this

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 06:42 AM

Assuming statuscodeUSB and statuscodeIND have been extract into a field called statuscode, you could do something like this

| eval statuscode=case(statuscode="statuscodeUSB", "Usbank", statuscode="statuscodeIND", "indian bank", 1==1, statuscode)

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 06:42 AM

Assuming statuscodeUSB and statuscodeIND have been extract into a field called statuscode, you could do something like this

| eval statuscode=case(statuscode="statuscodeUSB", "Usbank", statuscode="statuscodeIND", "indian bank", 1==1, statuscode)
Reply
Solved! Jump to solution

ABHAYA
Path Finder
‎05-11-2023 02:56 AM

for 2nd  value it is  still displaying old value for e.g. i can see statuscodeIND not Indian bank after writing the eval expression. I  have one more question can eval expression works only for two values or more than  two values also.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 03:43 AM

The case function will work for multiple values although there may be a line length limit (not sure what that might be), and the case function has to be all on one line. although it can wrap in some editors.

Reply
Solved! Jump to solution

ABHAYA
Path Finder
‎05-11-2023 03:56 AM

The above  query worked some how buy adding one more default value in the field called status Code.Not sure what is the concept behind that.Anyway  Thanks @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

ABHAYA
Path Finder
‎05-11-2023 02:46 AM
it is working for only 1st value.
0 Karma
Reply
Solved! Jump to solution

enzomialich
Path Finder
‎05-10-2023 05:17 AM

I believe you could use a lookup table. Create a column that matches the extracted field and another column with the additional field information. something like

statuscode     bank                (headers)
statuscodeUSB    Usbank

statuscodeIND      Indianbank

See the docs: https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...

 

And, have you tried the rename command? | rename <wc-field> AS <wc-field>...

 

 

0 Karma
Reply
Solved! Jump to solution

ABHAYA
Path Finder
‎05-10-2023 05:25 AM

I tried with rename command but it was not working. The input format I shared i.e. actually the result of rex  expression.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...