You can improve upon the prior search by using match instead of if and account for West and Central.
We also introduce the case function here. In the following illustration, you will see that we can set the value of a field by giving it a value of Label1 if Condition1 is true, Label2 if Condition2 is true, and so on:
SPL> | eval newfield=case(Condition1, "Label1", Condition2, Label2",
ConditionX, "LabelX")
Let us tweak the previous query to use case instead of if:
SPL> index=main http_uri="/destination/*/details"
| eval Region=case(match(http_uri, "NY|MIA|MCO"),
"East", match(http_uri, "WAS|AK|LAX|PML"), "West",
match(http_uri, "HOU"), "Central")
| top 0 Region, http_uri | sort Region
The result will now properly classify the destinations based on the region:
