O'Reilly logo

Splunk 7 Essentials - Third Edition by Betsy Page Sigman, Erickson Delgado, J-P Contreras

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Using eval and if

If you need to create a field for reporting, based on the data present in an event, you can use the eval command to create a field and use if to check for that condition.

The eval command takes the following form:

SPL> | eval newfield=if(condition, field1, field2)

Say you want to create two additional fields during search time to determine whether a destination is in the east coast or not. Using the following search, if a destination URI has NY, MIA, or MCO in it, a new field called East will be added to each of those events. Otherwise, Splunk will add a new field called Others. Once that has been done, this code will list the newly created Region field and http_uri for all events, and will sort by Region:

SPL> index=main ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required