Using eval and if

If you need to create a field for reporting, based on the data present in an event, you can use the eval command to create a field and use if to check for that condition.

The eval command takes the following form:

SPL> | eval newfield=if(condition, field1, field2)

Say you want to create two additional fields during search time to determine whether a destination is in the east coast or not. Using the following search, if a destination URI has NY, MIA, or MCO in it, a new field called East will be added to each of those events. Otherwise, Splunk will add a new field called Others. Once that has been done, this code will list the newly created Region field and http_uri for all events, and will sort by Region:

SPL> index=main http_uri="/destination/*/details" 
     | eval Region=if(match(http_uri, "NY|MIA|MCO"), "East", "Others") 
     | top 0 Region, http_uri | sort Region

A little regular expression has been used here to do a case statement between the airport codes: NY|MIA|MCO. If the http_uri includes NY, MIA, or MCO, then its Region field value will be East; otherwise, it will be Others.

This should now return the data with the new fields: