The eval command is used to create a field called Description, which takes the value of "Low", "Mid", or "Deep" based on the Depth of the earthquake. | stats count min(mag) max(mag) by Description | eval Description=case(depth70 AND depth300, "Deep") We'll use Low, Mid, and Deep for the category names. Deep-focus earthquakes occur at depths greater than 300 km. Mid-focus earthquakes occur at depths between 70 and 300 km. Shallow-focus earthquakes occur at depths less than 70 km. You want classify earthquakes based on depth. You can download a current CSV file from the USGS Earthquake Feeds and upload the file to your Splunk instance if you want follow along with this example. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so forth, for each earthquake recorded. This example uses recent earthquake data downloaded from the USGS Earthquakes website. This example shows you how to use the case function in two different ways, to create categories and to create a custom sort order. The results appear on the Statistics tab and look something like this:įor an example of how to display a default value when that status does not match one of the values specified, see the True function. Sourcetype=access_* | eval description=case(status=200, "OK", status=404, "Not found", status=500, "Internal Server Error") | table status description The following example returns descriptions for the corresponding http status code. Use the time range Yesterday when you run the search. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.īasic example This example uses the sample data from the Search Tutorial, but should work with any format of Apache Web access log. The function defaults to NULL if none of the arguments are true. When the first expression is encountered that evaluates to TRUE, the corresponding argument is returned. The arguments are Boolean expressions that are evaluated from first to last. Returns the first value for which the condition evaluates to TRUE. The following list contains the functions that you can use to compare values or specify conditional statements.įor information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.įor information about Boolean operators, such as AND and OR, see Boolean operators.Īccepts alternating conditions and values.
0 Comments
Leave a Reply. |