Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Convert field extraction into summarized value

branfarm
Explorer
‎08-31-2012 11:47 AM

Hi there,

I have a log that prefaces each message with either "Sending data on connection" or "Received data on connection". I have created an extraction to extract this value as "Direction", but I'd like to be able to show that result in a table as simply "Inbound" or "Outbound". Can anyone point me in the right direction for this?

Thanks in advance,

Brandon

Tags (1)
0 Karma
Reply

Ayn
Legend
‎08-31-2012 11:58 AM

You could use eval. Let's say you extracted the values "Sending" and "Received", respectively:

... | eval dir_type=case(Direction,"Sending","Outbound","Received","Inbound")
0 Karma
Reply

Ayn
Legend
‎08-31-2012 12:51 PM

Yes, you could use a lookup table for that. Also, in Splunk 5.0 that is due out...sometime in the future, you can setup eval statements in configuration files!

0 Karma
Reply

branfarm
Explorer
‎08-31-2012 12:08 PM

Thanks, Ayn. That worked, but seems very cumbersome in the search. Would a lookup table be able to accomplish this and keep the usability? For instance, enabling a user to use a search including direction=inbound ?

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...