Solved: conditional field choice

wsw70 · ‎12-22-2011

Hello,

I have log files which have both IP numbers (field IP) and corresponding names (field DNSNAME).
I would like to chart (a distribution for instance) based on the names but unfortunately some of them are not available (the value of the field DNSNAME="N/A"). In that case I need to fallback to the IP.

If I always had names I would do

... | stats count by DNSNAME

Is there a way to construct something along the lines of

... | stats count [ if DNSNAME != "N/A" then "by DNSNAME" else "by IP" ) ]

I was looking around the eval & co. functions but the "if" mentioned there seems to work on a given field only (while I want to modify the search itself based on conditions)

Thanks!

imrago · ‎12-22-2011

... | eval newfield=if(DNSNAME=="N/A",IP,DNSNAME) | stats count by newfield

View solution in original post

imrago · ‎12-22-2011

... | eval newfield=if(DNSNAME=="N/A",IP,DNSNAME) | stats count by newfield

wsw70 · ‎12-22-2011

Aahhh - I was looking at the "if" (as I mentioned) but somehow it did not ring a bell.
Thanks!

conditional field choice

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!