Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write the syntax for eval to create a new field mapping variations of the same value?

Roopaul
Explorer
‎01-08-2015 03:37 PM

Hi, I am pretty new to splunk and just doing some trial on my own.

This is the scenario. In the file I have a field "Country" which has multiple country names. I noticed that this field has multiple values which can be mapped to the same country. For eg. The field can be US, USA, US*, US/10 etc. all of which map to USA. I want to create a new field and write USA whenever these conditions occur.

I tried using CASE function as below, but it needs the specific word to search for. Is there a way to put a wildcard and search for everything which starts with 'US'.

case(country == "USA", "USA", url == "US", "USA", url == "US/10", "USA")

Is there any other function we can use in such scenario? Any suggestion will be helpful.

P.S. >> i am creating it in a Datamodel and will later use in pivot.

Thanks!

Tags (4)
0 Karma
Reply

Raghav2384
Motivator
‎01-08-2015 03:41 PM

Try this. Let's create a new field called New_Country

eval New_Country = if(match(Country,"RUS"),"Russia",if(match(Country,"US"),"USA",Country))

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...