Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to create a new column from other column in a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to rename to windows server, all linux versions and distributions to linux and so on for example:
operating-system | OS
Microsoft Windows 10 | Windows OS
Microsoft Windows 8 | Windows OS
Linux | Linux
Microsoft Windows Server 2019 | Windows Server
Microsoft Windows Server 2012 | Windows Server
CentOS | Linux
Ubuntu | Linux
Microsoft Windows Server 2016 | Windows Server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Pikta,
you need an eval - case command, something like this:
<your_search>
| eval OS=case(
like('operating-system',"Microsoft Windows Server%"), "Windows Server",
like('operating-system',"Microsoft Windows%"), "Windows OS",
'operating-system'="Linux", "Linux",
'operating-system'="CentOS", "Linux",
'operating-system'="Ubuntu", "Linux")obviously, you can enlarge the command also with other options.
Next time, if possible, don't use "-" (or spaces) in field names, use underscore (_) because Splunk uses "-" as an operator, so you have to use quotes in the field name.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Pikta,
you need an eval - case command, something like this:
<your_search>
| eval OS=case(
like('operating-system',"Microsoft Windows Server%"), "Windows Server",
like('operating-system',"Microsoft Windows%"), "Windows OS",
'operating-system'="Linux", "Linux",
'operating-system'="CentOS", "Linux",
'operating-system'="Ubuntu", "Linux")obviously, you can enlarge the command also with other options.
Next time, if possible, don't use "-" (or spaces) in field names, use underscore (_) because Splunk uses "-" as an operator, so you have to use quotes in the field name.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello
Thank You for the advice. I've already tried something similar, but I always get the error: "Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression. " Maybe I'm creating a new column wrong? I go to Add New -> Eval Expression, then Field name "OS" and expression - search text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a solution
Just needed to write
case(
like('operating-system',"Microsoft Windows Server%"), "Windows Server",
like('operating-system',"Microsoft Windows%"), "Windows OS",
like('operating-system',"%Linux%"), "Linux",
like('operating-system',"%CentOS%"), "Linux",
like('operating-system',"%Debian%"), "Linux",
like('operating-system',"%CentOS%"), "Linux"
)
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
