Solved: Using Eval statement

Splunk_rocks · ‎04-23-2018

Hello Splunkers,
I have case field with below information so i need to construct Eval field.

case**

XYZ
2
0
3
yzr

Now i have to construct eval field like

If case=string then print case as it was in case field
case=2 then print " error code 2"
case =3 the print " error code 3"
case=0 then " error zero "

ssadanala1 · ‎04-23-2018

Try this

| makeresults
| eval temp="XYZ,2,0,3,yzr"
| eval temp = split(temp,",")
| mvexpand temp
| eval status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",if(isstr(temp),"yes","no")=="yes" ,temp)

View solution in original post

ssadanala1 · ‎04-23-2018

Try this

| makeresults
| eval temp="XYZ,2,0,3,yzr"
| eval temp = split(temp,",")
| mvexpand temp
| eval status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",if(isstr(temp),"yes","no")=="yes" ,temp)

Splunk_rocks · ‎04-23-2018

Thanks but that will not fulfill my req i need add Eval field to props file based on output.

ssadanala1 · ‎04-23-2018

You can use this in caluclated fields in props.conf by specifying like this

EVAL-status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",if(isstr(temp),"yes","no")=="yes" ,temp)

somesoni2 · ‎04-23-2018

Minor cosmetic correction:

EVAL-status = case (temp=2 ,"error code 2 ", temp=3 ,"errorcode 3",temp = 0 , "error code 0",isstr(temp), ,temp)

Splunk_rocks · ‎04-23-2018

Thanks somesoni & ssadanala1 it worked for me now.

Using Eval statement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation