Solved: conditional switch in splunk

a_dev · ‎06-01-2011

Hi,

I have a splunk query which reads a log file and returns a list of values to a chart. However I need to values to be more "readable".
e.g. output:
$#@VALUE_1 ===> ONE

$#@VALUE_2 ===> TWO

$#@VALUE_3 ===> THREE

is there a way to say "if the value is $_VALUE_1, then output "ONE", else if the value is $_VALUE_2 then output "TWO"?

I am not able to modify what is written to the actual log

mw · ‎06-01-2011

You can use "eval"/"case" to create a new field with the desired value. This assumes those values are in the same existing field

... | eval new_field=case(old_field == "$_VALUE_1", "ONE", old_field == "$_VALUE_2", "TWO")

View solution in original post

mw · ‎06-01-2011

You can use "eval"/"case" to create a new field with the desired value. This assumes those values are in the same existing field

... | eval new_field=case(old_field == "$_VALUE_1", "ONE", old_field == "$_VALUE_2", "TWO")

conditional switch in splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation