Multiple field values combined into two different ...

jason_hotchkiss · ‎10-27-2020

Hello Splunkers

I have the following field: Message

The Message fields have the following values: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

I need to create two additional fields: Success and Failure

Values for Success are: 2,4,6,10, & 12
Values for Failure are: 1,3,5,9,13

All unused values are ignored and not included in either the Success or Failure field.

I have tried the following:
| eval status=if(in(Message,"2","4","6","10","12"),"Success","Failure")

This does two things: The eval statement groups all the values in Success, correctly. However, the eval statement groups all the values in Failure, incorrectly (by including all values other than 2,4,6,10, & 12). Additionally, it groups these into a single field with two values, Success & Failure. However, I would prefer to create two new fields with just the selected values for Success & Failure.

UPDATE - I think I figured this out:

eval success=case(Message="2","2",Message="4","4",Message="6","6",Message="10","10",Message="12","12")

eval failure=case(Message="1","1",Message="3","3",Message="5","5",Message="9","9",Message="13","13")

|stats values(success) values(failures) to validate.

Is there a better way to do it? Thank you!

ITWhisperer · ‎10-27-2020

How about

| eval success=if(in(Message,"2","4","6","10","12"),Message,null)
| eval failure=if(in(Message,"1","3","5","9","13"),Message,null)
| stats values(success) values(failure)

Multiple field values combined into two different fields

eval

fields

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!