If you need to create a field for reporting, based on the data present in an event, you can use the eval command to create a field and use if to check for that condition.
The eval command takes the following form:
SPL> | eval newfield=if(condition, field1, field2)
Say you want to create two additional fields during search time to determine whether a destination is in the east coast or not. Using the following search, if a destination URI has NY, MIA, or MCO in it, a new field called East will be added to each of those events. Otherwise, Splunk will add a new field called Others. Once that has been done, this code will list the newly created Region field and http_uri for all events, and will sort by Region:
SPL> index=main ...