Splunk Search

How to run an eval command if a statment is true, and keep non true data in the search?

robertlynch2020
Influencer

Hi

Below is a simple example of what I am trying to do.

I am trying to remove the duplicate out of the process name. So I have the code for that but only run this code if service_type = agent-based. 

So ideal I want to run an If service_type = agent-based then eval below.

However I lose the !=agent-based. that I don't want to run the eval on that. 

so how to I say if agent-based run these 2 evals on that specific data and then keep the rest of the !=agent-based

 

 

 

| eval temp=split($Process_Name$," ") 
    | eval Process_Name=mvindex(temp,0)

 

 

 

robertlynch2020_1-1631191701585.png

Thanks in Advance

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval Process_Name=if(service_type="agent-based",mvindex(split($Process_Name$," "),0),$Process_Name$)
0 Karma

robertlynch2020
Influencer

Hi 

Thanks, that is perfect. 

Thanks

Rob

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...