Hello,
I need to creating grouping of a results by error code .
There are different type of error code like 1123, 0123, 0000, 1234 etc which are specific to my application.
The error codes are categorized in 4 category : infra error, customer error, application error, Information_code_not_error
One way is to upload a lookup file and use that but I dont have access to do that, only access I have is to run normal queries.
Please help me if you know a way to do so
Like if value in(1,5,3,2,7) then Code1 else if value in(4,6,0) Code 2 else Code 3
Thanks
You're right on track. Using the example you gave at the end of your post, I'd code it like this:
<your base search>
| eval code_field=case(in(val_field, "1", "5", "3", "2", "7"), "Code1", in(val_field, "4", "6", "0"), "Code2", 1=1, "Code3")
Read in plain English, this code says: If the value in the field val_field
is one, 5, 3, 2, or 7, then set the value of code_field
to "Code1"
. If the value in the field val_field
is 4, 6, or 0, then sent the value of code_field
to "Code2"
. Otherwise, set the value of the field val_field
to "Code3"
.
More info about the in()
function is here:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#in.28VAL...
I didn't know about the in
function! I knew about new IN
operator in SPL, but not in terms of eval
.
You can use case statement to do so.
your base search with field error_code
| eval category=case(match(error_code,"(1|5|3|2|7)"),"infra error",match(error_code,"(4|6|0)","customer error",...other conditions..., true(),"default value here")