Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Two questions one answer

isrjo
Explorer
‎11-21-2010 01:07 PM

Greetings, I'm new to splunk and even though I'm extremely impressed with what I have seen/managed to do so far I still have not fully understand the structure of the querys, nor what functions to use where.

I have managed to introduce logs from our e-mail system and defined fields inside splunk accordingly. The problem however is that the meaning of the fields changes depending on the event. So for example my introduced field event_group with value 5 contains sent e-mail events and value 6 received, meaning in a group 5 event the sender is placed in field m_username and recipient in field m_sr_name, and for a group 6 it's the other way around.

The challange i'm facing is to present both events in one table sorted by date. Just to illustrate, these are the two questions I would like to combine and have the output sent to the same table.

VBEAAAAABcO+PgAAZAABX1MLAb5U event_group="5" | rename m_ptime AS "Date_time", m_username AS "Sender", m_sr_name AS "Recipient" | table Date_time , Sender , Recipient

VBEAAAAABcO+PgAAZAABX1MLAb5U event_group="6" | rename m_ptime AS "Date_time", m_username AS "Recipient", m_sr_name AS "Sender" | table Date_time , Sender , Recipient

I have played around with various subsearches but as soon as I rename the fields inside the subsearch I am no longer able to extract that field, not even sure if that is the best approach.

0 Karma
Reply

southeringtonp
Motivator
‎11-21-2010 04:59 PM

The simplest method is to use eval -- take a look at eval and functions for eval and where:

VBEAAAAABcO+PgAAZAABX1MLAb5U event_group="5" OR event_group="6"
| eval Sender=if(event_group==5, m_username, m_sr_name)
| eval Recipient=if(event_group==5, m_sr_name, m_username)
| table Date_time, Sender, Recipient

Alternately, you can modify your field extractions to extract field names differently depending on context. The difficulty of doing so will vary depending on what your raw events look like.

Reply

isrjo
Explorer
‎11-21-2010 07:31 PM

Thanks alot mate, been looking for a "if" - ability, unaware it was underneath the eval command. And yes it worked like a charm..

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...