Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- compare two fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am looking to compare two field values with three conditions as below:
if it satisfy the condition xyz>15 & abc>15 def field should result xyzabc
if it satisfy the condition xyz>15 & abc<15 def field should result xyz
if it satisfy the condition xyz<15 & abc>15 def field should result abc
I have tried with eval with combination of if & case, but results are not displaying as expected.
Kindly help me out on this.
Regards,
BK
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi bharathkumarnec,
did you tried something like this:
your_search
| eval def=case(xyz>15 AND abc>15,"xyzabc",xyz>15 AND abc<15,"xyz",xyz<15 AND abc>15,"abc")
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi bharathkumarnec,
did you tried something like this:
your_search
| eval def=case(xyz>15 AND abc>15,"xyzabc",xyz>15 AND abc<15,"xyz",xyz<15 AND abc>15,"abc")
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thnx it worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you put in what you have tried? Also based on numeric fields that you are working with... in the first case whether you want the sum of two numbers xyz and abc in the first case or multiplication or concatenation?
Have you tried something like the following:
eval result=case(xyz>15 AND abc>15,xyz*abc,xyz>15 AND abc<15,xyz,xyz<15 AND abc>15,xyz,1==1,"both less than 15")
[Updated with run anywhere search]
Can you please try the following run anywhere search. As you can see if the value of xyz and abc is 15 it will hit default block with value Other. You can try changing values for xyz and abc to validate the case statement.
| makeresults
| eval xyz=15
| eval abc=15
| eval xyzabc=20
| eval result=case(xyz>15 AND abc>15,xyzabc,xyz<15 AND abc>15,abc,xyz>15 AND abc<15,xyz,1==1,"Other")
| table result
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried the similar one, but this is not showing any results.
I am not looking to multiple nor concatenation, if xyz & abc both are greater than 15 I need to show third column value as "Both"(String not numeric) something like this..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bharathkumarnec... You need to mark code using 1010 button so that it does not get removed from your post. I have updated my query with run anywhere search please try that out and let me know if I misunderstood your question.
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
