Followers

Monday, May 4

Usage of Splunk EVAL Function : CASE



    Usage of Splunk EVAL Function : CASE
  •  This function takes pairs of arguments X and Y. 
  •  X arguments are Boolean expressions
  •  When the first X expression is encountered that evaluates to  TRUE, the corresponding Y argument will be returned.

                    Find below the skeleton of the usage of the function "case" with EVAL : 

                       ..... |  eval New_Field=case(X,"Y",....)




index="_audit" 
| eval New_Field=case(info=="granted","GRAN",info=="canceled","CANCEL",1=1,"Nothing") 
| table info,New_Field 


Result :

                              infoNew_Field
                                                                            grantedGRAN
                                                                           completedNothing
                                                                            canceledCANCEL


Explanation : 

In the above Query, "info" is the existing field name in the "_audit" index.

There are three conditions based on which the query is executed :

1. If "info" field is equal to "granted" , then 'GRAN' should
   be assigned to the New_Field

2. If "info" field is equal to "canceled" , then 'CANCEL' should
   be assigned to the New_Field

3. If "info" field is neither "granted" nor "canceled"
   then "Nothing" should be assigned to the New_Field.
   In this case we need to define any true 
   condition to match the default condition.
   Ex:- 1=1,2=2 or anything.



Now you can effectively utilize "case" function with "eval" command to meet your requirement !!


Hope you are now comfortable in : Usage of Splunk EVAL Function : CASE


HAPPY SPLUNKING !!





Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)