Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk search eval or other command

Harikiranjammul
Explorer
‎05-16-2025 03:47 AM

Have events like below

1) date-Timestamp

Server - hostname

Status - host is down

Threshold - unable to ping

 

2) 

Date-Timestamp

Db - dbname

Status- database is down

Instance status- DB instance is not available 

 

I would need to write Eval condition and create new field description that if field status is " database is down" , I need to add date, dB, status, Instances status fields to description field

 

And if status is host down, need to add date,server, status, threshold to description field.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-16-2025 04:28 AM 
| eval description=case(Status="host is down",Date.",".Server.",".Status.",".Threshold,Status="database is down",Date.",".Db.",".Status.",".'Instance status')

View solution in original post

Reply
Solved! Jump to solution

livehybrid
Super Champion
‎05-16-2025 05:22 AM

Hi @Harikiranjammul 

Use an eval statement with a conditional to build the description field based on the value of status.

|makeresults | eval Server="host1", Status="host is down", Threshold="unable to ping"
| append [| makeresults | eval Db="db1", Status="database is down", Instance_status="DB instance is not available"]
| eval date=strftime(_time, "%d/%m/%Y %H:%M:%S")
| eval description=case(
Status=="database is down", "date=" . date . " Db=" . Db . " Status=" . Status . " Instance_status=" . Instance_status,
Status=="host is down", "date=" . date . " Server=" . Server . " Status=" . Status . " Threshold=" . Threshold
)

 

This SPL checks the Status field and constructs the description field by concatenating the relevant fields for each case.

Ensure your field names match exactly (case-sensitive) and are extracted correctly before using this logic.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-16-2025 04:28 AM 
| eval description=case(Status="host is down",Date.",".Server.",".Status.",".Threshold,Status="database is down",Date.",".Db.",".Status.",".'Instance status')
Reply
Solved! Jump to solution

Harikiranjammul
Explorer
‎05-16-2025 06:02 AM

Thank you

How can I use eval like here?

I mean here status field contains someother text before and after the 'Host is down' and 'database is down' values and it varies every event.

just wanted to put status=like(*host is down*)

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-16-2025 08:22 AM 
| eval description=case(like(Status,"%host is down%"),Date.",".Server.",".Status.",".Threshold,like(Status,"%database is down%"),Date.",".Db.",".Status.",".'Instance status')
0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
‎05-16-2025 07:01 AM

Hi @Harikiranjammul 

If you can, restrict the first part of the search by adding

(Status="*host is down* OR Status="*Some other criteria*")

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top