Solved: conditional switch in splunk

a_dev · ‎06-01-2011

Hi,

I have a splunk query which reads a log file and returns a list of values to a chart. However I need to values to be more "readable".
e.g. output:
$#@VALUE_1 ===> ONE

$#@VALUE_2 ===> TWO

$#@VALUE_3 ===> THREE

is there a way to say "if the value is $_VALUE_1, then output "ONE", else if the value is $_VALUE_2 then output "TWO"?

I am not able to modify what is written to the actual log

mw · ‎06-01-2011

You can use "eval"/"case" to create a new field with the desired value. This assumes those values are in the same existing field

... | eval new_field=case(old_field == "$_VALUE_1", "ONE", old_field == "$_VALUE_2", "TWO")

View solution in original post

mw · ‎06-01-2011

You can use "eval"/"case" to create a new field with the desired value. This assumes those values are in the same existing field

... | eval new_field=case(old_field == "$_VALUE_1", "ONE", old_field == "$_VALUE_2", "TWO")

conditional switch in splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation