Database Reference
In-Depth Information
Other commands
These commands are also commonly used for analysis in Splunk. Several of those listed
help subset and modify fields for targeted analyses. The lookup command links a field to a
lookup table, from which results can be identified and output:
Command What it Does
The
fields
command is used to remove fields from a search.Thus, the command
fields field1 field3
keeps
only the fields labeled
field1
and
field3
.
fields
The
replace
command substitutes one value for another. In the statement
replace 0 with Check, 9 with
Warning in Status
, status values of
0
are replaced with
Check
and status values of
9
are replaced with
Warning
.
replace
The
eval
command makes calculations and puts them into a new field. This code,
eval Depth=case(depth<=3, "Low", depth>3 AND depth<=10, "Medium", depth>10, "High")
,
eval
creates a new field,
Depth
, and uses the
case
function to assign the labels
Low
,
Medium
, or
High
, depend-
ing on the value.
The
lookup
command calls up a lookup table that lets you add new field values. In the statement,
lookup
status_desc status OUTPUT description
, the field,
status
, is looked up in the
status_desc
lookup
table and the corresponding description is output.
lookup
