Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using If then in combination with case
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using If then in combination with case
I would like to create a new tag field based on multiple conditions. I think I have figured out how to specify my conditions, but I would like to create a true/false result in a new field. I am not sure how to do this.
Here is my command so far. I would like to create a new true/false field based on whether or not "hostgroup" is a match with all of the conditions specified. Should return true is case is a match, and false if not.
sourcetype= | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT", host LIKE "%FE%", "FE", host LIKE "%", "Others")
Any tips on how to setup the true/false portion of my request?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if this is what you are thinking of but I'd add , 1=1, "Other") at the end of my case statement. That way something evaluates to true. Actually what I normally use for the string is 'fixme' 😃
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can append this to your search (assuming your case statement is returning as expected)
.... | eval found=if(hostgroup="Others", false, true)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify, the "Others" value here is not indicative of all of the previous matches conditions being met but it's the opposite. "Others" in this case means that the hostgroup string did not contain BE, MT, or FE.
If you append what @sundareshr is suggesting, the string 'found' would be false if the hostgroup string did not contain BE, MT, or FE and would be true if the hostgroup string contained any one of those things.
I'm not sure if Others is supposed to represent that or not, but if it is this should take care of your issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is hostgroup a field in your data? Can you let us know specifically what a true and a false condition would look like?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
