I am using the following eval command. I want the type column to pick up both the sources.
index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type= case(source=smf014,Input,source=smf015,Output, (source=smf015 and source=smf014),Both)
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
I would appreciate the help.
Hi @chinmay25,
Please try below, I think it is case sensitivity;
index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%SMF014","Input",source LIKE "%SMF015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
Hi @chinmay25,
I believed that you want to see "Input" , "Output" or "Both" as text in Type field. The search result must have showing these values. Do you mean Input, Output and Both as another field name? Do you want to see the values of these fields on Type field?
Hi Scelikok,
I want the result table to have the following column for type. It should not have "Both" in it. In place of SMF014 I want Input and In place of SMF015 I want Output in the Type Column.
Type |
Input |
Input |
Input |
Input |
Output |
Input |
Output |
Input |
Hi @chinmay25,
I got the problem now, it was not supposed to show all as "Both". Please try below;
index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(source="smf014","Input",source="smf015","Output",1=1,"Both")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
Hi,
I tried your latest command with 1=1, "Both". The table still shows Both and not Input or Output.
Type |
Both |
Both |
Both |
And If i try the if command, i get a blank column.
Is it possible to be all events are coming from both sources? Can you please show the stats command output before eval?
This is the result just after the stats command.
Ok, source is not exact match to smf014 or smf015. Please try below;
index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%smf014","Input",source LIKE "%smf015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
Hi Scelikok,
Unfortunately, its still not picking up anything in the Type column.
The Type column is blank.
Chinmay.
Hi @chinmay25,
Please try below, I think it is case sensitivity;
index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type=case(mvcount(source)>1,"Both",source LIKE "%SMF014","Input",source LIKE "%SMF015","Output")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
Thank you. This solution works.
I had used the append command to make it work, but this is more efficient.
Regards,
Chinmay.
Hi @chinmay25,
Please try below;
index=xyz (source=smf015 OR source=smf014)
| stats values(source) as source by JFCBDSNM DATETIME SMF14JBN SMF14RST SMF14SPN JFCBELNM TIOEDDNM SMF14PGN
| eval Type= case(source=smf014,"Input",source=smf015,"Output",1=1,"Both")
| table DATETIME JFCBDSNM SMF14JBN SMF14SPN TIOEDDNM SMF14PGN Type
Hi Scelikok,
Thank you for the help. It does work.
However, I may have defined the problem incorrectly.
What I expect the Type column to pick up is INPUT in place of SMF014 and OUTPUT in place of SMF015.
Looking forward to your suggesstion.
Chinmay.