Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I examine a field and set another field based upon that value?

a212830
Champion
‎01-28-2016 07:41 PM

Hi,

I have some hosts that follow naming conventions and I want to create and set another field based upon those naming conventions. How would I do that? For example, some of these hosts have "MMK" in them, and others have "RTP". I want to check for those values, and if they exists, set another field "location" to a literal string value representing those locations. Eval? Where?

Reply

Amohlmann
Communicator
‎01-28-2016 08:26 PM

You could use either eval or rex to do this. As others have already provided you with the answer for using an eval, a regular expression query would look like this:

Base Search
| rex field=hosts "(?<location>MMK|RTP).*"

The regular expression can be tidied up a bit more if you gave an example of your events.

Reply

lguinn2
Legend
‎01-28-2016 07:55 PM

You are on the right track; eval can do what you need, like this

yoursearchhere
| eval location=case(host LIKE "%MMK%","MMK", host LIKE "%RTP%", "RTP", 1==1, "Other")
| stats count by location

I used the case function, but there are other ways to do this as well.

You might also consider a lookup table, which could provide more information about your hosts:

host_list.csv
host,location,dept,ip
mmk01,"San Francisco",Finance,10.12.14.122
rtp03,Durham,Finance,10.72.24.214
etc.

Here is a tutorial on lookup tables.

0 Karma
Reply

Murali2888
Communicator
‎01-28-2016 07:52 PM

you can use eval and searchmatch
| eval location= if(searchmatch("MMK"),"LiteralString1",if(searchmatch("RTP"),"LiteralString2","DEFAULTStr"))

0 Karma
Reply

renjith_nair
Legend
‎01-28-2016 07:49 PM

Try this

Your search |eval location=case(host LIKE "%MMK%", "MMKLOCATION", host LIKE "%RTP%", "RTPLOCATION", host LIKE "%", "Others")
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

a212830
Champion
‎01-28-2016 08:04 PM

Thanks! !!!

0 Karma
Reply

renjith_nair
Legend
‎01-28-2016 11:10 PM

No problem. Please mark as answer if it's resolved so that thread will be closed!

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

renjith_nair
Legend
‎01-31-2016 08:48 PM

@a212830 , if the answer helps you, please mark as answer. Thanks

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...