Splunk Search
Highlighted

How to write an eval search to fetch the value of field2 corresponding to field1?

New Member

Hi all,

How do I write an eval statement to fetch the value of field2 corresponding to field1?
For example, consider the table below:

field1  field2
Orange  10
apple    12
potato  13

If field1 value is orange, I want to assign a value of abc as corresponding field2 ..here it is 10
..|eval abc= value of field2 for orange..

Kindly help me in writing the search.

Thanks in advance
Muthu

Tags (1)
0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

SplunkTrust
SplunkTrust

Try this:

yoursearch | eval field2 = if(match(field1,"Orange")), field1, field2) 

If field1 matches Orange, then assign field1 to field2, else assign field2

0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

New Member

thanks for your reply:
Here im trying to create another field3
as per your suggestion im getting output like
field1 field2 field3
Orange 10 10
apple 12 12
potato 13 13

but i would like to have result as below:
field1 field2 field3
Orange 10 10
apple 12 10
potato 13 10

0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

SplunkTrust
SplunkTrust

Hi, so assuming you want to set the value of field3 in ALL your events to be field2 when field1 matches Orange, this is what I would do:

| inputcsv mycsv.csv
| join type=left [
   | inputcsv mycsv.csv
   | search field1 = "Orange"
   | eval fieldNEW = field2
   | fields fieldNEW
]
| eval field3 = fieldNEW
| fields - fieldNEW

mycsv.csv is just a csv matching the content of your table:

field1  field2  field3
Orange  10  11
apple   12  12
potato  13  13

And the query returns the following:

field1  field2  field3
Orange  10  10
apple   12  10
potato  13  10
0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

SplunkTrust
SplunkTrust
<your search> |eval abc=if(field1=="Orange",field2,"")|eventstats values(abc) as abc

View solution in original post

Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

Motivator

try:
yoursearch| eval abc= if(match(field1,"Orange")), field2, field2) | eval field3 = if(match(field1,"Orange")), field2, abc)

0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

New Member

Hi,
also here if i want to save the value of field2 corresponding to filed1 value orange say here is 10 as another variable abc..how can i do that?

0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

SplunkTrust
SplunkTrust

Have you tried the search posted by me?

0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

Motivator

thx Mr renjith.nair you are right

0 Karma
Highlighted

Re: How to write an eval search to fetch the value of field2 corresponding to field1?

New Member

yes it is working for me..thx

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.