Usage of Splunk EVAL Function : CASE
- This function takes pairs of arguments X and Y.
- X arguments are Boolean expressions
- When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned.
Find below the skeleton of the usage of the function “case” with EVAL :
….. | eval New_Field=case(X,”Y”,….)
index="_audit"
| eval New_Field=case(info=="granted","GRAN",info=="canceled",
"CANCEL",1=1,"Nothing")
| table info,New_Field
Result :
Explanation :
In the above Query, “info” is the existing field name in the “_audit” index.
There are three conditions based on which the query is executed :
1. If “info” field is equal to “granted” , then ‘GRAN‘
should be assigned to the New_Field
2. If “info” field is equal to “canceled“, then ‘CANCEL‘
should be assigned to the New_Field.
3. If “info” field is neither “granted” nor “canceled“
then “Nothing” should be assigned to the New_field.
In this case we need to define any true condition
to match the default condition.
Ex:-1=1,2=2 or anything.
Now you can effectively utilize “case” function with “eval” command to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk EVAL Function : CASE
HAPPY SPLUNKING !!
What’s your Reaction?
+1
4
+1
+1
1
+1
+1
9
+1
+1
