Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

i have a search that i need to modify the field A based on results of field B

rwiley
Explorer
‎05-06-2016 09:36 AM

i have an index with field (Value) that brings in results as bytes or percentage according to what the (counter) field is. example i need to round (value) field to two decimal places if (counter=available bytes) or round (Value) field if (counter=%free space).

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-07-2016 03:10 AM

Not sure if I understood correctly your question so if that's not the case please post an example.

In any case, try this and let me know if that's what you are looking for:

your search here
| eval Value = case (
    counter == "available bytes", round(Value, 2),
    counter == "%free space", round(Value),
    1 == 1, "OTHERS"
)

The 1 == 1 is just a default clause to make sure you are not ignoring any potential values. You can then search Value = OTHERS to find out if something didn't match any of the previous two clauses.

Thanks,
J

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-07-2016 03:10 AM

Not sure if I understood correctly your question so if that's not the case please post an example.

In any case, try this and let me know if that's what you are looking for:

your search here
| eval Value = case (
    counter == "available bytes", round(Value, 2),
    counter == "%free space", round(Value),
    1 == 1, "OTHERS"
)

The 1 == 1 is just a default clause to make sure you are not ignoring any potential values. You can then search Value = OTHERS to find out if something didn't match any of the previous two clauses.

Thanks,
J

0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎05-09-2016 05:59 AM

this is what i needed. i made an edit but i guess it did not save. the available bytes i needed to convert bytes to Gb. i tried this sum(Value/1024/1024)

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎05-09-2016 07:09 AM

You need to convert your Value to GB before using sum.
Something like:

 your search here
 | eval Value = case (
     counter == "available bytes", round(Value/1024/1024, 2),
     counter == "%free space", round(Value),
     1 == 1, "OTHERS"
 )
0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎05-09-2016 09:32 AM

By the way, if the response above is what you were looking for please do not forget to mark it as answered so that others can benefit from it.

Thanks
J

0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎05-09-2016 09:34 AM

it does work. it didn't put the results where i needed them. i am trying to manipulate it to get everything the way i need it to work. thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...