Solved: Re: If a value contains a value it changes to anot...

Talking_Master · ‎08-04-2023

Hi Iam looking to create an if statement: if value contains part of another value it changes it too another value.

for example contains x its true if not its false.

| eval error=if(in(status, "error", "failure", "severe"),"true","false")

I also want it for many values.

andrew_nelson · ‎08-04-2023

Using the match() function should do what you need.

| eval error=if(match(status, "(?i)error") OR match(status, "(?i)failure") OR match(status, "(?i)severe"),"true","false")

If however you have a bunch of matching patterns, having all of them in a lookup file and using wildcard matching might be a better option.

View solution in original post

andrew_nelson · ‎08-04-2023

Using the match() function should do what you need.

| eval error=if(match(status, "(?i)error") OR match(status, "(?i)failure") OR match(status, "(?i)severe"),"true","false")

If however you have a bunch of matching patterns, having all of them in a lookup file and using wildcard matching might be a better option.

Talking_Master · ‎08-04-2023

Thanks for the solution. But If theres value say it has server 1 failed. How do I one look for if value has failed in its string then it does somthing.

andrew_nelson · ‎08-04-2023

You can use match(status, "(?i)fail") and it'll match failed, fail, failure, failing.

If a value contains a value it changes to another.

eval

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio