Hello everyone,
i have this below SPL i am using,
index=abcde* | eval logtype = if(match(_raw,".*?LTStamp.*?ConnID.*?Exp"),"browser"," ") | eval logtype = if(match(_raw,".*?MT.*?CTime.*?MBy"),"admin"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Cust.*?SID.*?SessType"),"appconnector"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?Uname.*?SID"),"userstatus"," "),
When I am using this in a search the new field "logtype" is created but the field value is just empty with count and also it is only taking the first eval statement and omitting the rest.
If I use only 1 eval statement like for example 3rd eval statement "| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")" it is giving me a value "useractivity" against the newly created "logtype" field.
Now,
my question is how I can join all these different eval statements into a single "eval" statement using the condition that i have used in the SPL above,
[eval logtype = if(match,(regex), "X"," ")]
Note: the regexes (.*?LTStamp.*?ConnID.*?Exp) used in the match condition is hardcoded from the events we received into Splunk.
or can we use any other condition such as CASE. LIKE etc., so, that I can get all these field values (browser, adminlogs, useractivity, appconnector and userstatus) under the "logtype" field like i mentioned below.
logtype
Values count %
browser xx xx%
adminlogs xx xx%
useractivity xx xx%
appconnector xx xx%
userstatus xx xx%
Hope the above question makes sense, any help on this will be much appreciated.
Thanks...!!!
... View more