Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

conditional switch in splunk

a_dev
Engager
‎06-01-2011 02:35 AM

Hi,

I have a splunk query which reads a log file and returns a list of values to a chart. However I need to values to be more "readable".
e.g. output:
$#@VALUE_1 ===> ONE

$#@VALUE_2 ===> TWO

$#@VALUE_3 ===> THREE

is there a way to say "if the value is $_VALUE_1, then output "ONE", else if the value is $_VALUE_2 then output "TWO"?

I am not able to modify what is written to the actual log

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-01-2011 06:11 AM

You can use "eval"/"case" to create a new field with the desired value. This assumes those values are in the same existing field

... | eval new_field=case(old_field == "$_VALUE_1", "ONE", old_field == "$_VALUE_2", "TWO")

View solution in original post

Reply
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-01-2011 06:11 AM

You can use "eval"/"case" to create a new field with the desired value. This assumes those values are in the same existing field

... | eval new_field=case(old_field == "$_VALUE_1", "ONE", old_field == "$_VALUE_2", "TWO")

View solution in original post

Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!