Solved: EVAL is overwriting field of other add-on

rleena · ‎01-31-2017

Hi,

I have an EVAL statements in two add-ons. The field names are same and the add-on that comes later in alphabetical order, overwrites the value set by earlier add-on. I have tried coalesce with if statement, but not able to solve this problem. In the second add-on when I am checking, looks like the value of the field is null and the one that has been set by the earlier add-on. So seems like there is no way to retain it conditionally, rather than overwriting it.

Kindly suggest a solution. Thank you.

somesoni2 · ‎02-01-2017

You need to copy the expression used in first add-on to your add-on where you're setting the default value. So you need to use this in your add-on.

EVAL-vendor_product = if(searchmatch("testproduct"),"test","abc")

If your add-on is installed, the first add-on's configuration doesn't apply and there is no verndor_product field available before hand. So when your's is evaluated, it assigns null for vendor_product to events which are not matching your expression.

View solution in original post

somesoni2 · ‎02-01-2017

You need to copy the expression used in first add-on to your add-on where you're setting the default value. So you need to use this in your add-on.

EVAL-vendor_product = if(searchmatch("testproduct"),"test","abc")

If your add-on is installed, the first add-on's configuration doesn't apply and there is no verndor_product field available before hand. So when your's is evaluated, it assigns null for vendor_product to events which are not matching your expression.

rleena · ‎02-01-2017

Thank you. That's what I wanted to confirm.

somesoni2 · ‎02-01-2017

These are add-ons you downloaded from Splunk apps or your custom? A suggested by Lisa, either don't use the same named field in two add-ons or remove the EVAL from both the Add-ons and create it in separate add-on/apps.

rleena · ‎02-01-2017

Hello, Thank you for response. I am trying to create a custom add-on.

somesoni2 · ‎02-01-2017

So, in the EVAL of the custom add-on which has higher precedence, you include the condition/expression you used in first add-on as well. So that if it's overwrite, it still follows the same expression.

E.g. add-on 1

EVAL-field = <<some expression giving value1>>

add-on 2

EVAL-field = coalesce(<<some expression giving value2>>,<<some expression giving value1>>)

rleena · ‎02-01-2017

Thank you. I want to check expression for my messages and set a value for field using EVAL if expression is true, and if not, then don't touch the existing field value for other messages. Is that possible?

somesoni2 · ‎02-01-2017

Did you try like this already

2nd Add-on

EVAL-field = if(<<some_expression evaluate true>>,"SomesValue",field)

If above doesn't work, can you share the EVAL definition that you have in other add-on?

rleena · ‎02-01-2017

yes I have tried, the field value is null in my add-on. I even checked with isnull(). So when condition is not evaluating to true, it overwrites with null for other messages

somesoni2 · ‎02-01-2017

Can you share the exact props.conf entry that you have/tried in both the add-on for that field?

rleena · ‎02-01-2017

In the first add-on which is not mine,
EVAL-vendor_product = "abc"

In my add-on: (comes alphabetically next)
EVAL-vendor_product = if(searchmatch("testproduct"),"test",vendor_product)

Now, "test" is correctly assigned to my messages, but for other messages "abc" is overwritten by null. vendor_product field is removed basically.

lguinn2 · ‎02-01-2017

My suggestion would be to not use the same field name in two different add-ons.

EVAL is overwriting field of other add-on

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms