Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use eval statement with and, if, then

mistydennis
Communicator
‎05-19-2017 08:54 AM

Example: I'm trying to count how many books we have in our database based on subject: children's, romance, travel, etc. Right now I have a chart that lists out the subject and the count. But I need to pull out a certain type of book and break it down into further categories based on additional metadata. What statement can I use for something like this:

if book=travel AND author=James, then localtravel. If not, foreigntravel.

I'm trying to get everything to fall into one column beneath "Book Type" so it reads:

Children
Romance
LocalTravel
ForeignTravel

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-19-2017 01:09 PM

Like this:

Your Base Search Here
| eval book = case(
    (book="travel" AND author="James"), "localtravel",
        ...
    Other "localtravel" Cases Here
        ...
    (book="travel"),                    "foreigntravel",
        ...
    Other Cases Here
        ...
    true(),                             book)

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-19-2017 01:09 PM

Like this:

Your Base Search Here
| eval book = case(
    (book="travel" AND author="James"), "localtravel",
        ...
    Other "localtravel" Cases Here
        ...
    (book="travel"),                    "foreigntravel",
        ...
    Other Cases Here
        ...
    true(),                             book)
Reply
Solved! Jump to solution

mistydennis
Communicator
‎05-19-2017 01:56 PM

Thank you, that's exactly what I was looking for!

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎05-19-2017 09:00 AM

you can do a if statement:

|eval BookType=if(book="travel" AND author="James","LocalTravel","ForeignTravel")

if you need to add more to it, use a case statement.

if you can create a lookup table with all the fields you'd like to compare, that might be best, if there are a lot.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...