How to create an eval column in a table that says ...

samiksha86 · ‎05-15-2018

test    host1   host2   host3   temp
test1   x1  x1  x1  Match
test2   y1  y2  y1  No match
test3   z1  z1  z3  No match

niketn · ‎05-16-2018

@samiksha86, based on the sample data provided try the following run anywhere search. Command from makeresults till | table test host1 host2 host3 generates the sample data as per the question.

|  makeresults
|  eval data="test1 x1 x1 x1;test2 y1 y2 y1;test3 z1 z2 z3"
|  makemv data delim=";"
|  mvexpand data
|  makemv data delim=" "
|  eval test=mvindex(data,0),host1=mvindex(data,1),host2=mvindex(data,2),host3=mvindex(data,3)
|  table test host1 host2 host3
|  eval temp=host1.",".host2.",".host3
|  makemv temp delim=","
|  eval temp=mvdedup(temp), matchCount=mvcount(temp), temp=if(matchCount=1,"Matched","Not Matched")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

abhi04 · ‎07-26-2018

@niketnilay, what if the the values i.e. x1,x2y1,z1,etc are subject to changes and we have to compare then.
How to compare in that scenario?

How to create an eval column in a table that says "match" or "no match" if the value of all columns is the same/or not for each row?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk