for e.g.
input : I am getting result in an table format like statuscodeUSB 35 but i wan to transform the result into some thing like Us Bank 35.
Basically I want to implement logic something like this
if statuscodeUSB then return Usbank
if statuscodeIND then return indian bank
can anyone suggest smething on this
Assuming statuscodeUSB and statuscodeIND have been extract into a field called statuscode, you could do something like this
| eval statuscode=case(statuscode="statuscodeUSB", "Usbank", statuscode="statuscodeIND", "indian bank", 1==1, statuscode)
Assuming statuscodeUSB and statuscodeIND have been extract into a field called statuscode, you could do something like this
| eval statuscode=case(statuscode="statuscodeUSB", "Usbank", statuscode="statuscodeIND", "indian bank", 1==1, statuscode)
for 2nd value it is still displaying old value for e.g. i can see statuscodeIND not Indian bank after writing the eval expression. I have one more question can eval expression works only for two values or more than two values also.
The case function will work for multiple values although there may be a line length limit (not sure what that might be), and the case function has to be all on one line. although it can wrap in some editors.
The above query worked some how buy adding one more default value in the field called status Code.Not sure what is the concept behind that.Anyway Thanks @ITWhisperer
I believe you could use a lookup table. Create a column that matches the extracted field and another column with the additional field information. something like
statuscode bank (headers)
statuscodeUSB Usbank
statuscodeIND Indianbank
See the docs: https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto...
And, have you tried the rename command? | rename <wc-field> AS <wc-field>...
I tried with rename command but it was not working. The input format I shared i.e. actually the result of rex expression.