I have the following data:
Code Area
1234.1234 ABC
9933.9933 DEF
6611.6611 GHI
8910.8910 ABC
8910.1111 ABC
Search looks like the following:
| inputlookup combined.csv | search Code=* | eval NewArea=case('AREA'="DEF","Opeth",'AREA'="GHI","Danzig") | table Code, NewArea
New output:
Code Area
1234.1234 ABC
9933.9933 Opeth
6611.6611 Danzig
8910.8910 ABC
8910.1111 ABC
What I also need to do, is if Code equals 8910.* rename it to "Tool" and if Code equals 1234.1234 rename it to "Gojira".
Code Area
1234.1234 Gojira
9933.9933 Opeth
6611.6611 Danzig
8910.8910 Tool
8910.1111 Tool
Is something like this possible?
You're almost there with your existing query.
| inputlookup combined.csv | search Code=*
| eval NewArea=case('AREA'="DEF","Opeth",'AREA'="GHI","Danzig", match(Code,"8910\..*"), "Tool", Code="1234.1234", "Gojira")
| table Code, NewArea
Thanks a lot to both of you. I wish I could put Accepted to both replies.
@sb01splunk,
Add those conditions to the case
statement.
| inputlookup combined.csv| search Code=*
| eval NewArea=case(Area=="DEF","Opeth",Area=="GHI","Danzig",Code=="1234.1234","Gojira",match(Code,"8910"),"Tool")
| table Code, NewArea
You're almost there with your existing query.
| inputlookup combined.csv | search Code=*
| eval NewArea=case('AREA'="DEF","Opeth",'AREA'="GHI","Danzig", match(Code,"8910\..*"), "Tool", Code="1234.1234", "Gojira")
| table Code, NewArea