Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to save multiple values after multiple evaluation?

Gian89
Explorer
‎02-15-2022 09:21 AM

Hello Splunkers,

for a project I'm working on, I would need to store different IDs in a variable after evaluating them with if or case.
The idea is to check several conditions and if one or more are met, update the value of the variable.
Example:

event1: A | B | C 
event2: A | C | E
event3: B | F | G

Conditions:
if A is present  -> ID01
if B is present  -> ID02
if B is present  -> ID03

Result:
event1: ID01,ID02,ID03
event2: ID01,ID03
event3: ID02

I tried to concatenate the results but with no success:
| makeresults
| eval letter1="A", letter2="B", letter3="C"
| append
[| makeresults
| eval letter1="A", letter2="C", letter3="E"]
| append
[| makeresults
| eval letter1="B", letter2="F", letter3="G"]
| eval ID=""
| eval ID=ID.if(letter1="A" OR letter2="A" OR letter3="A","ID01",NULL)
| eval ID=ID.if(letter1="B" OR letter2="B" OR letter3="B",",ID02",NULL)
| eval ID=ID.if(letter1="C" OR letter2="C" OR letter3="C",",ID02",NULL)
|table letter1 letter2 letter3 ID

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2022 09:29 AM 
| makeresults
| eval letter1="A", letter2="B", letter3="C"
| append
[| makeresults
| eval letter1="A", letter2="C", letter3="E"]
| append
[| makeresults
| eval letter1="B", letter2="F", letter3="G"]
| eval ID=""
| eval ID=if(letter1="A" OR letter2="A" OR letter3="A",ID.",ID01",ID)
| eval ID=if(letter1="B" OR letter2="B" OR letter3="B",ID.",ID02",ID)
| eval ID=if(letter1="C" OR letter2="C" OR letter3="C",ID.",ID03",ID)
| eval ID=trim(ID,",")
|table letter1 letter2 letter3 ID

View solution in original post

Reply
Solved! Jump to solution

Gian89
Explorer
‎02-16-2022 12:11 AM

This is brilliant, thank you very much for your support!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2022 09:29 AM 
| makeresults
| eval letter1="A", letter2="B", letter3="C"
| append
[| makeresults
| eval letter1="A", letter2="C", letter3="E"]
| append
[| makeresults
| eval letter1="B", letter2="F", letter3="G"]
| eval ID=""
| eval ID=if(letter1="A" OR letter2="A" OR letter3="A",ID.",ID01",ID)
| eval ID=if(letter1="B" OR letter2="B" OR letter3="B",ID.",ID02",ID)
| eval ID=if(letter1="C" OR letter2="C" OR letter3="C",ID.",ID03",ID)
| eval ID=trim(ID,",")
|table letter1 letter2 letter3 ID
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...