If the ipAddress field does not match the subnet, the isLocal field is set to "not local". The following example uses the cidrmatch and if functions to set a field, isLocal, to "local" if the field ipAddress matches the subnet. If you specify a literal string value, instead of a field name, that value must be enclosed in double quotation marks. This function is compatible with IPv6.īoth and are string arguments. This function returns TRUE when an IP address,, belongs to a particular CIDR subnet. Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. | eval sort_field=case(Description="Low", 1, Description="Mid", 2, Description="Deep",3) You create the custom sort order by giving the values a numerical ranking and then sorting based on that ranking.įrom my_dataset where source="all_month.csv" You can also use the case function to sort the results in a custom order, such as Low, Mid, Deep. However in this example the order would be alphabetical returning results in Deep, Low, Mid or Mid, Low, Deep order. You can sort the results in the Description column by clicking the sort icon in Splunk Web. The search also pipes the results of the eval command into the stats command to count the number of earthquakes and display the minimum and maximum magnitudes for each Description. For example, if the depth is less than 70 km, the earthquake is characterized as a shallow-focus quake and the resulting Description is Low. The case() function is used to specify which ranges of the depth fits each description. The eval command is used to create a field called Description, which takes the value of "Low", "Mid", or "Deep" based on the Depth of the earthquake. | stats count min(mag) max(mag) by Description
| eval Description=case(depth70 AND depth300, "Deep") | from my_dataset where source="all_month.csv"
We'll use Low, Mid, and Deep for the category names. Deep-focus earthquakes occur at depths greater than 300 km. Mid-focus earthquakes occur at depths between 70 and 300 km. Shallow-focus earthquakes occur at depths less than 70 km.
You want classify earthquakes based on depth. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so forth, for each earthquake recorded. This example uses earthquake data downloaded from the USGS Earthquakes website.
#Splunk eval if statement how to#
This example shows you how to use the case function in two different ways, to create categories and to create a custom sort order. The word Other displays in the search results for status=406 and status=408. | eval description=case(status = 200, "OK", status =404, "Not found", status = 500, "Internal Server Error", true, "Other") To display a default value when the status does not match one of the values specified, use the literal true. In the above example, the description column is empty for status=406 and status=408. | eval description=case(status = 200, "OK", status =404, "Not found", status = 500, "Internal Server Error") |from my_dataset where sourcetype="access_*" The following example returns descriptions for the corresponding HTTP status code. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands. The function defaults to NULL if none of the arguments are true. When the first expression is encountered that evaluates to TRUE, the corresponding argument is returned. The arguments are Boolean expressions that are evaluated from first to last. This function takes pairs of and arguments and returns the first value for which the condition evaluates to TRUE. You can play with it and compare with your actual data.The following list contains the functions that you can use to compare values or specify conditional statements.įor information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 evaluation functions. Here is an emulation of your illustrated data with that syntax correction. In SPL, an array is flattened with an suffix ", then split multivalues first. So, you will need to handle multiple entries in that entity. If I assume that the original data is valid, notice that target node is an array. If that is a problem, you need to bring that to your developers. First, how accurate is the representation in that data illustration? The sample contains an extraneous comma after alternateId, rendering the blob invalid as JSON.
0 kommentar(er)
