Solved: Using Eval statement

Splunk_rocks · ‎04-23-2018

Hello Splunkers,
I have case field with below information so i need to construct Eval field.

case**

XYZ
2
0
3
yzr

Now i have to construct eval field like

If case=string then print case as it was in case field
case=2 then print " error code 2"
case =3 the print " error code 3"
case=0 then " error zero "

ssadanala1 · ‎04-23-2018

Try this

| makeresults
| eval temp="XYZ,2,0,3,yzr"
| eval temp = split(temp,",")
| mvexpand temp
| eval status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",if(isstr(temp),"yes","no")=="yes" ,temp)

View solution in original post

ssadanala1 · ‎04-23-2018

Try this

| makeresults
| eval temp="XYZ,2,0,3,yzr"
| eval temp = split(temp,",")
| mvexpand temp
| eval status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",if(isstr(temp),"yes","no")=="yes" ,temp)

Splunk_rocks · ‎04-23-2018

Thanks but that will not fulfill my req i need add Eval field to props file based on output.

ssadanala1 · ‎04-23-2018

You can use this in caluclated fields in props.conf by specifying like this

EVAL-status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",if(isstr(temp),"yes","no")=="yes" ,temp)

somesoni2 · ‎04-23-2018

Minor cosmetic correction:

EVAL-status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",isstr(temp), ,temp)

Splunk_rocks · ‎04-23-2018

Thanks somesoni & ssadanala1 it worked for me now.

Using Eval statement

3 Ways to Make OpenTelemetry Even Better

What's New in Splunk Cloud Platform 9.2.2406?

Enterprise Security Content Update (ESCU) | New Releases