Question: I am using the default Splunk UI Search screen in which I have a search containing a field of categorical values (e.g. host names) which I would like to convert to numbers. So far, the only solution I have found is to use the eval-case combination to identify and convert each name. This works great if you have a small finite list of names. My field has an undetermined number of names and I want to avoid using Splunk's built-in hot coding e.g. eval {field} = 1. This spawns a set of columns which can run into very high numbers depending on the cardinality of the field.
Below is an example using eval and case. Again, this works fine for a few known values. I am seeking a more dynamic approach to deal with a large number of values.
| eval src_zone_num = case(src_zone == "zone1", 1, src_zone == "zone2", 2, src_zone == "zone3", 3, src_zone == "zone4", 4, src_zone == "zone5", 5)
