Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to replace the value when another field ha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the "delta_value" is more than 2 then I'd like to replace the value1 to "error"
Raw data
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 06:32:55, 15.949602127, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1
Final result
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 error, 15.949602127, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1
How to do it smart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@syokota [Splunk], please pipe the following eval with case() to match required condition and set the values accordingly
<YourBaseSearch>
| eval value1=case(delta1>2,"error",true(),value1)
In your example you have applied error to _time value.
Following is the run anywhere search based on your data (I have not included No field.)
| makeresults
| eval data="05/26/2017 06:32:50,5.949602127,0;05/26/2017 06:32:55,15.949602127,10;05/26/2017 06:33:00,16.949602127,1;05/26/2017 06:33:05,17.949602127,1"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval _time=mvindex(data,0)
| eval value1=mvindex(data,1)
| eval delta1=mvindex(data,2)
| table _time value1 delta1
| eval value1=case(delta1>2,"error",true(),value1)
Please try out and confirm.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry to write down "Final result", correct image is below.
Final result
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 06:32:55, error, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@syokota [Splunk], please pipe the following eval with case() to match required condition and set the values accordingly
<YourBaseSearch>
| eval value1=case(delta1>2,"error",true(),value1)
In your example you have applied error to _time value.
Following is the run anywhere search based on your data (I have not included No field.)
| makeresults
| eval data="05/26/2017 06:32:50,5.949602127,0;05/26/2017 06:32:55,15.949602127,10;05/26/2017 06:33:00,16.949602127,1;05/26/2017 06:33:05,17.949602127,1"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval _time=mvindex(data,0)
| eval value1=mvindex(data,1)
| eval delta1=mvindex(data,2)
| table _time value1 delta1
| eval value1=case(delta1>2,"error",true(),value1)
Please try out and confirm.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you everyone!
I did it using below command.
|eval value1 = case(delta1="error","error",1=1,"unknown")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketnilay beat me to it, so since I already thougth it through, you can also use "if"
<base search> | eval value1=if(delta_value>2,"error",value1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While if() is a hammer (you might hit a nail ;), see case() as a nail gun.
Because it will handle each possible case of key value if you add a default group like this:
eval value1=case(delta1>2,"error",true(),value1,1=1,"unknown")
if nothing matches the case() you will still have the field value1="unknown". An if() would leave you empty in this case ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Mus, thanks for the perfect analogy, however, the true() condition in my case statement is same as 1=1. To me it made sense to include just two blocks i.e. "error" if value1 is greater than 2 and for everything else value1, i.e. for all number <= 2 and also non numeric fields it will show the value as is.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indeed the true() is always true 😉
The reason why I usually try to match as much as possible in the case() and use the catch all 1=1, "unknown" as last, is that you can then run a search to find any unknown values and fix them.
A search example would be this:
| makeresults
| eval boo="2", foo=case(boo=1, boo, 1=1, "unknown")
| transpose
| search "row 1"="unknown"
| stats count values("row 1") AS value by column
| rename column AS fieldname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree. Same here 🙂
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
