Multiple field values combined into two different ...

jason_hotchkiss · ‎10-27-2020

Hello Splunkers

I have the following field: Message

The Message fields have the following values: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

I need to create two additional fields: Success and Failure

Values for Success are: 2,4,6,10, & 12
Values for Failure are: 1,3,5,9,13

All unused values are ignored and not included in either the Success or Failure field.

I have tried the following:
| eval status=if(in(Message,"2","4","6","10","12"),"Success","Failure")

This does two things: The eval statement groups all the values in Success, correctly. However, the eval statement groups all the values in Failure, incorrectly (by including all values other than 2,4,6,10, & 12). Additionally, it groups these into a single field with two values, Success & Failure. However, I would prefer to create two new fields with just the selected values for Success & Failure.

UPDATE - I think I figured this out:

eval success=case(Message="2","2",Message="4","4",Message="6","6",Message="10","10",Message="12","12")

eval failure=case(Message="1","1",Message="3","3",Message="5","5",Message="9","9",Message="13","13")

|stats values(success) values(failures) to validate.

Is there a better way to do it? Thank you!

ITWhisperer · ‎10-27-2020

How about

| eval success=if(in(Message,"2","4","6","10","12"),Message,null)
| eval failure=if(in(Message,"1","3","5","9","13"),Message,null)
| stats values(success) values(failure)

Multiple field values combined into two different fields

eval

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation