Solved: creating an 'other' field with eval

tomlongfield · ‎04-22-2016

I am quite knew to this and not remotely wedded to eval as the solution for this problem, I am eager to know if there is a better way to do this.

I am currently using this query:

index=cpdata | eval ua = case(
    match(userAgent, "MSIE"), "Windows",
    match(userAgent, "Windows"), "Windows",
    match(userAgent, "Android"), "Android",
    match(userAgent, "BlackBerry"), "BlackBerry",
    match(userAgent, "like Mac OS X"), "iOS"
) | chart count by ua | sort by count | reverse

Which is successfully giving me what I expect to see.. I want to create a further case of 'Other' where anything that doesn't match is counted though. I have not managed to do this.

Richfez · ‎04-22-2016

Try this - one always equals one so it'll always be true...

 index=cpdata | eval ua = case(
     match(userAgent, "MSIE"), "Windows",
     match(userAgent, "Windows"), "Windows",
     match(userAgent, "Android"), "Android",
     match(userAgent, "BlackBerry"), "BlackBerry",
     match(userAgent, "like Mac OS X"), "iOS",
     1==1, "Other"
 ) | chart count by ua | sort by count | reverse

View solution in original post

Richfez · ‎04-22-2016

Try this - one always equals one so it'll always be true...

 index=cpdata | eval ua = case(
     match(userAgent, "MSIE"), "Windows",
     match(userAgent, "Windows"), "Windows",
     match(userAgent, "Android"), "Android",
     match(userAgent, "BlackBerry"), "BlackBerry",
     match(userAgent, "like Mac OS X"), "iOS",
     1==1, "Other"
 ) | chart count by ua | sort by count | reverse

tomlongfield · ‎04-22-2016

Works perfectly, thank you.

creating an 'other' field with eval

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor