Splunk Search

Analyzing fields and concatenating results into new field

msarro
Builder

Greetings. I am working on a project to take in several fields of data. I would like to analyze each field of a record, and based on its results, place a comment in a new "Notes" field. This way a viewer can easily tell what happened without having to look at a ton of numbers. So, in a simplest case imagine you had three latencies in a csv:
1, 100, 11

If the goal was to have all be below 10. You could run a case statement against the first field, and since it was below 10, it wouldn't do anything. Then checking the second field it would be incredibly out of range, so a note saying "Latency 2 excessively high.\n" (including a newline, if that is possible). Then it would check the third field and place a note in the notes field stating "Latency 3 marginally above threshold."

So in the end the contents of the "notes" field would say:

Latency 2 excessively high.
Latency 3 marginally above threshold.

Is this possible? Any ideas on how to accomplish it? In my case I will be analyzing approximately ~20 fields, each will be analyzed with a case statement or an IF statement. I have not yet written the test cases.

Tags (1)

sideview
SplunkTrust
SplunkTrust

the conditional eval logic at the simplest level would look like:

| eval notes=if(field2>=10,notes+"\nLatency 2 marginally above threshold",notes)

but it can be nested. Here a longer statement catches both the "excessively" case and the "marginally above" case.

| eval notes=if(field2>=100,notes+"\nLatency 2 excessively high",if(field2>=10,notes+"\nLatency 2 marginally above threshold",notes))

Indeed, you might want to use the case syntax because it's cleaner across the 20 fields. However to avoid the marginal errors getting repeated, you probably want to still nest the logic, either inside raw evals like this or inside your cases.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...