Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conditional logic and assigning values for group

mschellhouse
Path Finder
‎05-01-2017 02:51 PM

I am trying to categorize records that meet certain logic criteria. If logic is met, I want to assign a string value to category field for ALL events that share the same ID.

Example:
1. name=abc / ID=123xyz / data=loginfailure / category=
2. name=dce / ID=123xyz / data=primaryevent / category=

I am using conditional logic to find the existence of #2 and setting the category. This is the determining event with all events sharing that ID. The next step is to apply that same category to all events that have the same ID.

Step1 - locate record #2 and set category=websitelogin
Step2 - set category=websitelogin for all events that share the same ID as #2.

Desired End Result:
1. name=abc / ID=123xyz / data=loginfailure / category=websitelogin
2. name=dce / ID=123xyz / data=primaryevent / category=websitelogin

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-01-2017 02:54 PM

Step 1 would be something like | eval category = case(some boolean expression to determine category A, "A", some boolean expression to determine category B, "B", ...)

Step 2 could be | eventstats values(category) as category by ID if you need to do per-event things afterwards, or | stats values(category) as category something(otherfield) by ID if you only need to do reporting things afterwards.
In both approaches you'll need to deal with multiple categories assigned to one ID if that's possible in your data.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-01-2017 02:54 PM

Step 1 would be something like | eval category = case(some boolean expression to determine category A, "A", some boolean expression to determine category B, "B", ...)

Step 2 could be | eventstats values(category) as category by ID if you need to do per-event things afterwards, or | stats values(category) as category something(otherfield) by ID if you only need to do reporting things afterwards.
In both approaches you'll need to deal with multiple categories assigned to one ID if that's possible in your data.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...