Solved: How to save multiple values after multiple evaluat...

Gian89 · ‎02-15-2022

Hello Splunkers,

for a project I'm working on, I would need to store different IDs in a variable after evaluating them with if or case.
The idea is to check several conditions and if one or more are met, update the value of the variable.
Example:

event1: A | B | C
event2: A | C | E
event3: B | F | G

Conditions:
if A is present -> ID01
if B is present -> ID02
if B is present -> ID03

Result:
event1: ID01,ID02,ID03
event2: ID01,ID03
event3: ID02

ITWhisperer · ‎02-15-2022

| makeresults
| eval letter1="A", letter2="B", letter3="C"
| append
[| makeresults
| eval letter1="A", letter2="C", letter3="E"]
| append
[| makeresults
| eval letter1="B", letter2="F", letter3="G"]
| eval ID=""
| eval ID=if(letter1="A" OR letter2="A" OR letter3="A",ID.",ID01",ID)
| eval ID=if(letter1="B" OR letter2="B" OR letter3="B",ID.",ID02",ID)
| eval ID=if(letter1="C" OR letter2="C" OR letter3="C",ID.",ID03",ID)
| eval ID=trim(ID,",")
|table letter1 letter2 letter3 ID

View solution in original post

Gian89 · ‎02-16-2022

This is brilliant, thank you very much for your support!

ITWhisperer · ‎02-15-2022

| makeresults
| eval letter1="A", letter2="B", letter3="C"
| append
[| makeresults
| eval letter1="A", letter2="C", letter3="E"]
| append
[| makeresults
| eval letter1="B", letter2="F", letter3="G"]
| eval ID=""
| eval ID=if(letter1="A" OR letter2="A" OR letter3="A",ID.",ID01",ID)
| eval ID=if(letter1="B" OR letter2="B" OR letter3="B",ID.",ID02",ID)
| eval ID=if(letter1="C" OR letter2="C" OR letter3="C",ID.",ID03",ID)
| eval ID=trim(ID,",")
|table letter1 letter2 letter3 ID

How to save multiple values after multiple evaluation?

eval

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!