Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you use the eval command when the field val...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jacqu3sy
Path Finder
02-05-2019
02:50 AM
Hi,
How do I use the eval statement when the field value could contain multiple variables?
so for example my field "OS" could be;
Windows XP
Windows 7
Windows 10
Server 2003
Server2008
I want to use an eval to create two new fields; one for server OS and another for desktop OS
So something like
| eval server=if(OS="Server 2003" OR OS="Server2008")
| eval desktop=if(OS="Windows XP" OR OS="Windows 10")
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
02-05-2019
02:57 AM
Hi,
Try case
<yourBaseSearch>
| eval os_type=case(OS == "Windows XP" OR OS == "Windows 7" OR OS == "Windows 10", "desktop", OS == "Server 2003" OR OS == "Server2008", "server")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
02-05-2019
02:57 AM
Hi,
Try case
<yourBaseSearch>
| eval os_type=case(OS == "Windows XP" OR OS == "Windows 7" OR OS == "Windows 10", "desktop", OS == "Server 2003" OR OS == "Server2008", "server")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jacqu3sy
Path Finder
02-05-2019
03:08 AM
worked like a charm. thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
02-05-2019
03:47 AM
Great, you are welcome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DMohn
Motivator
02-05-2019
02:56 AM
You could use either match or like as an eval function here ...
| eval is_server = if(like(OS, "Server%"),"1","0")
| eval is_desktop = if(like(OS, "Windows%"),"1","0")
Like uses a SQL-like wildcard matching. You can get even more flexibility with match - which uses regex...
| eval is_server = if(match(OS, "Server\s?[\d]{4}"),"1","0")
| eval is_desktop = if(like(OS, "Windows"),"1","0")
Hope this helps ...
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
