O'Reilly logo

Splunk 7 Essentials - Third Edition by Betsy Page Sigman, Erickson Delgado, J-P Contreras

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Using eval and match with a case function

You can improve upon the prior search by using match instead of if and account for West and Central.

We also introduce the case function here. In the following illustration, you will see that we can set the value of a field by giving it a value of Label1 if Condition1 is true, Label2 if Condition2 is true, and so on:

SPL> | eval newfield=case(Condition1, "Label1", Condition2, Label2", 
          ConditionX, "LabelX")

Let us tweak the previous query to use case instead of if:

    SPL> index=main http_uri="/destination/*/details" 
         | eval Region=case(match(http_uri, "NY|MIA|MCO"), 
           "East", match(http_uri, "WAS|AK|LAX|PML"), "West", 
           match(http_uri, "HOU"), "Central") 
         | top 0 Region, http_uri | sort Region

The result ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required