Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Two questions one answer

isrjo
Explorer
‎11-21-2010 01:07 PM

Greetings, I'm new to splunk and even though I'm extremely impressed with what I have seen/managed to do so far I still have not fully understand the structure of the querys, nor what functions to use where.

I have managed to introduce logs from our e-mail system and defined fields inside splunk accordingly. The problem however is that the meaning of the fields changes depending on the event. So for example my introduced field event_group with value 5 contains sent e-mail events and value 6 received, meaning in a group 5 event the sender is placed in field m_username and recipient in field m_sr_name, and for a group 6 it's the other way around.

The challange i'm facing is to present both events in one table sorted by date. Just to illustrate, these are the two questions I would like to combine and have the output sent to the same table.

VBEAAAAABcO+PgAAZAABX1MLAb5U event_group="5" | rename m_ptime AS "Date_time", m_username AS "Sender", m_sr_name AS "Recipient" | table Date_time , Sender , Recipient

VBEAAAAABcO+PgAAZAABX1MLAb5U event_group="6" | rename m_ptime AS "Date_time", m_username AS "Recipient", m_sr_name AS "Sender" | table Date_time , Sender , Recipient

I have played around with various subsearches but as soon as I rename the fields inside the subsearch I am no longer able to extract that field, not even sure if that is the best approach.

0 Karma
Reply

southeringtonp
Motivator
‎11-21-2010 04:59 PM

The simplest method is to use eval -- take a look at eval and functions for eval and where:

VBEAAAAABcO+PgAAZAABX1MLAb5U event_group="5" OR event_group="6"
| eval Sender=if(event_group==5, m_username, m_sr_name)
| eval Recipient=if(event_group==5, m_sr_name, m_username)
| table Date_time, Sender, Recipient

Alternately, you can modify your field extractions to extract field names differently depending on context. The difficulty of doing so will vary depending on what your raw events look like.

Reply

isrjo
Explorer
‎11-21-2010 07:31 PM

Thanks alot mate, been looking for a "if" - ability, unaware it was underneath the eval command. And yes it worked like a charm..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...