Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Lookup table: Show one or another output

javo
Explorer
‎02-15-2013 11:37 AM 
Code,Description1,Description2
0,ok,successful
1,error,failure
3,not_connected,not_found
6,unsync,network_error

OK, this is a piece of my .csv file. I have everithing correctly configured in transforms.conf and props.conf.

I need to show in a table the right message to the Code, depending on the value of another field.
For example, the field Key contains only values Blue and Red. If Key is Blue, show Description1; if Key is Red, show Description2.

Continuing with the example, this is what I would want to see in the table while searching:

Code ----------- Key ------------ Description
  0              Red              successful
  1              Red              failure
  0              Blue             ok
  6              Red              network_error
  3              Blue             not_connected
  1              Blue             error

Is there any way to do that?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:23 PM

You should be able to achieve this with a combination of eval and case, something like this:

... | eval Description = case(Key=="Red",Description1,Key=="Blue",Description2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:23 PM

You should be able to achieve this with a combination of eval and case, something like this:

... | eval Description = case(Key=="Red",Description1,Key=="Blue",Description2)
0 Karma
Reply
Solved! Jump to solution

rgcurry
Contributor
‎02-18-2013 09:13 AM

Javo,
When the student is ready, the lesson appears. I have found this to be true for me, and others, over and over again. It seems that "noop" is actually an acronym for "Not Open to Opportunities Presently"! (;->)

0 Karma
Reply
Solved! Jump to solution

javo
Explorer
‎02-18-2013 06:51 AM

I was tying that with eval Description = if(Key=Red,Description1,Description2)... How could I not see the '==' noob mistake.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...