Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write the syntax for eval to create a new field mapping variations of the same value?

Roopaul
Explorer
‎01-08-2015 03:37 PM

Hi, I am pretty new to splunk and just doing some trial on my own.

This is the scenario. In the file I have a field "Country" which has multiple country names. I noticed that this field has multiple values which can be mapped to the same country. For eg. The field can be US, USA, US*, US/10 etc. all of which map to USA. I want to create a new field and write USA whenever these conditions occur.

I tried using CASE function as below, but it needs the specific word to search for. Is there a way to put a wildcard and search for everything which starts with 'US'.

case(country == "USA", "USA", url == "US", "USA", url == "US/10", "USA")

Is there any other function we can use in such scenario? Any suggestion will be helpful.

P.S. >> i am creating it in a Datamodel and will later use in pivot.

Thanks!

Tags (4)
0 Karma
Reply

Raghav2384
Motivator
‎01-08-2015 03:41 PM

Try this. Let's create a new field called New_Country

eval New_Country = if(match(Country,"RUS"),"Russia",if(match(Country,"US"),"USA",Country))

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...