Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

compare two fields

bharathkumarnec
Contributor
‎03-14-2017 12:34 AM

Hi All,

I am looking to compare two field values with three conditions as below:

if it satisfy the condition xyz>15 & abc>15 def field should result xyzabc
if it satisfy the condition xyz>15 & abc<15 def field should result xyz
if it satisfy the condition xyz<15 & abc>15 def field should result abc

I have tried with eval with combination of if & case, but results are not displaying as expected.

Kindly help me out on this.

Regards,
BK

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-14-2017 02:35 AM

Hi bharathkumarnec,
did you tried something like this:

your_search 
| eval def=case(xyz>15 AND abc>15,"xyzabc",xyz>15 AND abc<15,"xyz",xyz<15 AND abc>15,"abc")

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-14-2017 02:35 AM

Hi bharathkumarnec,
did you tried something like this:

your_search 
| eval def=case(xyz>15 AND abc>15,"xyzabc",xyz>15 AND abc<15,"xyz",xyz<15 AND abc>15,"abc")

Bye.
Giuseppe

Reply
Solved! Jump to solution

bharathkumarnec
Contributor
‎03-14-2017 04:56 AM

Thnx it worked.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-14-2017 01:14 AM

Can you put in what you have tried? Also based on numeric fields that you are working with... in the first case whether you want the sum of two numbers xyz and abc in the first case or multiplication or concatenation?

Have you tried something like the following:

eval result=case(xyz>15 AND abc>15,xyz*abc,xyz>15 AND abc<15,xyz,xyz<15 AND abc>15,xyz,1==1,"both less than 15")

[Updated with run anywhere search]
Can you please try the following run anywhere search. As you can see if the value of xyz and abc is 15 it will hit default block with value Other. You can try changing values for xyz and abc to validate the case statement.

| makeresults 
| eval xyz=15
| eval abc=15
| eval xyzabc=20
| eval result=case(xyz>15 AND abc>15,xyzabc,xyz<15 AND abc>15,abc,xyz>15 AND abc<15,xyz,1==1,"Other")
| table result
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bharathkumarnec
Contributor
‎03-14-2017 01:23 AM

tried the similar one, but this is not showing any results.

I am not looking to multiple nor concatenation, if xyz & abc both are greater than 15 I need to show third column value as "Both"(String not numeric) something like this..

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-14-2017 03:07 AM

@bharathkumarnec... You need to mark code using 1010 button so that it does not get removed from your post. I have updated my query with run anywhere search please try that out and let me know if I misunderstood your question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...