Hello fellows!
I have a sourcetype called cmdb with a field called BIA to any src_host.
After this join
index=lab sourcetype=A | join type=left src_host [search index=lab sourcetype=cmdb]
Most of the src_host now figures with the BIA field, but some of them don't. It's OK, because they do not exist on cmdb sourcetype.
I want to fix the value of the BIA field for this hosts.
I try to use a lot of tings like...
| eval BIA = if( len(BIA)==0, "FIX", BIA)
but is not running fine.
Can someone help me?
You can't use the eval test as BIA is a null field in those events, so use fillnull instead
| fillnull BIA value="FIX"
Hi @bowesmana
I found an issue...
In sourcetype=cmdb the all events have the field BIA with "H", "M" ou "L" values.
After the join, and using "fillnull", if I use "fillnull BIA value="E"", 100% of the events have one of the 4 values, but if I use "fillnull BIA value="H"" 100% of the events will have "H" value.
what I'ḿ doing wrong?
Can you post your full search
I found the mistake...
It was a syntax error
The right way is
| fillnull value="FIX" BIA
not
| fillnull BIA value="FIX"
Thanks again!
Great! Great! Great! @bowesmana
Thanks for your help!
Using join is not generally a good idea in Splunk as it has limitations which may silently affect your data.
join functionality is generally achieved in Splunk using this construct
index=lab (sourcetype=A OR sourcetype=cmdb)
| stats values(*) as * by src_host
This will generally always be faster than a join and not have limitations.
The 'values(*) as *' can be tailored to carry forward whatever fields you want in the resultant rows.
You can't use the eval test as BIA is a null field in those events, so use fillnull instead
| fillnull BIA value="FIX"