Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- use eval to change field vale
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this logs:
URI: tttplitmr_78 METHOD: POST
BODY: {"s_data": {"System.ProcessorName": "Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz", "WIDI.AdapterModel": "", "System.Manufacturer": "Xen", "WiFi.DriverVersion": "", "WIDI.FWVersion": "", "Graphics.PCReleaseMajor": "", "WiFi.DriverProviderName": "", "OS.Version": "6.1.7601", "OS.Arch": "64", "OEM.InstallCriticalDrivers": "True", "WIDI.AppVersion": "", "Graphics.PCReleaseMinor": "", "Graphics.DriverVersion": "", "Graphics.MatchingID": "", "Graphics.HardwareID": "", "System.Vendor": "Xen", "System.ProcessorId": "1789FBFF000206D7", "OS.Locale": "en-US", "WiFi.BundleVersion": "", "Graphics.DriverProviderName": "", "WiFi.HardwareID": ""},
i want to change OS. version: "6.1.7" to windows 8 , "6.3". to windows 8.1, "6.1.42" to W7 and so on for all OS wich are represented as numbers.
I have this query but the eval is not changing the fields. what am i doing wrong? (i only try with W8)
index= foo | rex field=summary "BODY: (?{.*)" | spath input=json_data |eval shared_data.OS.Version = case ( shared_data.OS.Version == "6.1.7", "windows 8" ) | chart count by shared_data.OS.Version | sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (check the field name in eval, based on your data it should s_data.OS.Version)
index= foo | rex field=summary "BODY: (?<json_data>\{.+)" | spath input=json_data |eval "shared_data.OS.Version" = case ( 'shared_data.OS.Version' = "6.1.7", "windows 8",'shared_data.OS.Version'="6.1.7","windows 7", true(),'shared_data.OS.Version') | chart count by shared_data.OS.Version | sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it works, but it doesn´t show the other versions now! only w 7 and 8. why is the ,true() for? and why shared_data.OS.Version is again at the end?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
typo error, my bad. is working fine. thanks dude
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (check the field name in eval, based on your data it should s_data.OS.Version)
index= foo | rex field=summary "BODY: (?<json_data>\{.+)" | spath input=json_data |eval "shared_data.OS.Version" = case ( 'shared_data.OS.Version' = "6.1.7", "windows 8",'shared_data.OS.Version'="6.1.7","windows 7", true(),'shared_data.OS.Version') | chart count by shared_data.OS.Version | sort -count
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
