Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace the value when another field has "error"?

syokota_splunk
Splunk Employee
Splunk Employee
‎11-12-2017 05:31 PM

If the "delta_value" is more than 2 then I'd like to replace the value1 to "error"

Raw data
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 06:32:55, 15.949602127, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1

Final result
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 error, 15.949602127, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1

How to do it smart?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-12-2017 06:24 PM

@syokota [Splunk], please pipe the following eval with case() to match required condition and set the values accordingly

<YourBaseSearch>
| eval value1=case(delta1>2,"error",true(),value1)

In your example you have applied error to _time value.

Following is the run anywhere search based on your data (I have not included No field.)

| makeresults
| eval data="05/26/2017 06:32:50,5.949602127,0;05/26/2017 06:32:55,15.949602127,10;05/26/2017 06:33:00,16.949602127,1;05/26/2017 06:33:05,17.949602127,1"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval _time=mvindex(data,0)
| eval value1=mvindex(data,1)
| eval delta1=mvindex(data,2)
| table _time value1 delta1
| eval value1=case(delta1>2,"error",true(),value1)

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

syokota_splunk
Splunk Employee
Splunk Employee
‎11-12-2017 06:30 PM

I'm sorry to write down "Final result", correct image is below.

Final result
No, _time, value1, delta_value
1, 05/26/2017 06:32:50, 5.949602127, 0
2, 05/26/2017 06:32:55, error, 10
3, 05/26/2017 06:33:00, 16.949602127, 1
4, 05/26/2017 06:33:05, 17.949602127, 1

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-12-2017 06:24 PM

@syokota [Splunk], please pipe the following eval with case() to match required condition and set the values accordingly

<YourBaseSearch>
| eval value1=case(delta1>2,"error",true(),value1)

In your example you have applied error to _time value.

Following is the run anywhere search based on your data (I have not included No field.)

| makeresults
| eval data="05/26/2017 06:32:50,5.949602127,0;05/26/2017 06:32:55,15.949602127,10;05/26/2017 06:33:00,16.949602127,1;05/26/2017 06:33:05,17.949602127,1"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval _time=mvindex(data,0)
| eval value1=mvindex(data,1)
| eval delta1=mvindex(data,2)
| table _time value1 delta1
| eval value1=case(delta1>2,"error",true(),value1)

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

syokota_splunk
Splunk Employee
Splunk Employee
‎11-13-2017 02:06 AM

Thank you everyone!
I did it using below command.

|eval value1 = case(delta1="error","error",1=1,"unknown")
Reply
Solved! Jump to solution

MonkeyK
Builder
‎11-12-2017 06:28 PM

niketnilay beat me to it, so since I already thougth it through, you can also use "if"

<base search> | eval value1=if(delta_value>2,"error",value1)
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-12-2017 06:33 PM

While if() is a hammer (you might hit a nail ;), see case() as a nail gun.
Because it will handle each possible case of key value if you add a default group like this:

 eval value1=case(delta1>2,"error",true(),value1,1=1,"unknown")

if nothing matches the case() you will still have the field value1="unknown". An if() would leave you empty in this case ...

cheers, MuS

Reply
Solved! Jump to solution

niketn
Legend
‎11-12-2017 09:28 PM

@Mus, thanks for the perfect analogy, however, the true() condition in my case statement is same as 1=1. To me it made sense to include just two blocks i.e. "error" if value1 is greater than 2 and for everything else value1, i.e. for all number <= 2 and also non numeric fields it will show the value as is.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-14-2017 05:22 PM

Indeed the true() is always true 😉
The reason why I usually try to match as much as possible in the case() and use the catch all 1=1, "unknown" as last, is that you can then run a search to find any unknown values and fix them.
A search example would be this:

| makeresults
| eval boo="2", foo=case(boo=1, boo, 1=1, "unknown")
| transpose 
| search "row 1"="unknown" 
| stats count values("row 1") AS value by column
| rename column AS fieldname
Reply
Solved! Jump to solution

niketn
Legend
‎11-14-2017 05:58 PM

Agree. Same here 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...