Splunk Search

rename the search results for multiple conditions

nagarajsf
Explorer

Hello, I'm trying to rename query output and those are string values.
expecting output for field MANAGER_NAME would be like below,
XZ* = PRD
X* = PRD
XY = PRD
YL = DEV
ZN = QAT

tried with below query but it's not working any suggestions?

index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(MANAGER_NAME==XZ* OR MANAGER_NAME==X*  OR MANAGER_NAME==XY,"Prd") | eval MANAGER_NAME2=case(AMONAME=="YL*",Dev,AMONAME=="ZN*",QAT) 
 | stats count by MANAGER_NAME1 ,MANAGER_NAME2
0 Karma

FrankVl
Ultra Champion

That stats command only works for events with both MANAGER_NAME1 and MANAGER_NAME2 fields populated. I'm guessing that is not the case?

Also: your first case statement is missing the " characters around the XZ* etc.
Also: MANAGER_NAME=="XZ*" OR MANAGER_NAME=="X*" OR MANAGER_NAME=="XY" is a bit silly. Since you include "X*" as one of the options, that already covers the other two cases.
Anyway, you cannot use wildcards there.

You'd probably want to put it all into 1 case statement and use the match() function. E.g.:

index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3*
| eval MANAGER_NAME1=case(match(MANAGER_NAME,"^X.*"),"Prd",match(AMONAME,"^YL.*"),Dev,match(AMONAME,"^ZN.*"),QAT) 
| stats count by MANAGER_NAME1

If that is not what you are after, please describe in more detail what your data looks like and what the result would be that you want out of this.

0 Karma

nagarajsf
Explorer

Hello @FrankVl ,

Added example values above query.
I trying as you suggested but it giving me only first value Prd, but I need all matching values to Prod, Dev, QAT

index=alarms sourcetype=ommc_alarms APPLICATION=spk OR APPLICATION=*spk3* | eval MANAGER_NAME1=case(match(MANAGER_NAME,"^prdplhdpx*"),"Prd",match(AMONAME,"^qatehdp*"),"Dev",match(AMONAME,"^devehdp*"),"QAT") 
 | stats count by MANAGER_NAME1

I want to create a dropdown dashboard based on selection of the environment.

0 Karma

FrankVl
Ultra Champion

If that search only gives you a Prd result, there is probably something incorrect in the criteria of the case statement. Note: match uses regular expressions, which are case sensitive.

Run the search without the stats count part and see if the MANAGER_NAME1 is populated correctly for all events.

0 Karma

nagarajsf
Explorer

Yes, I ran query without or with stats count, in both cases, it is giving value of which match provided in the case.

For instance if I gave match(MANAGER_NAME,"^prdplhdpx*"),"Prd" in a first place of case then giving matched value of it and its not considering other match options, match(AMONAME,"^qatehdp*"),"Dev",match(AMONAME,"^devehdp*"),"QAT").

basically MANAGER_NAME1 value is populating first match of case and it's ignoring other options

0 Karma

FrankVl
Ultra Champion

Can you show a sample of your data showing the MANAGER_NAME and AMONAME fields and the result of the case statement as it is put into MANAGER_NAME1?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...