Solved: condition to display selected field

sg5258 · ‎06-11-2012

I have a scenario which i need to use a search query to display selected field if the content is not "NULL".. was thinkig to use eval .. but cause i am still new to splunk... really need some guide overhere..
the sample is following:

Action Date | ApprOfficer |ID_diff| Mail_diff|Opt_diff| Name_diff | RC_diff |Role_diff |Box_diff
 1/2/2011      ABC           NULL     1234      ABCB    NULL         LEFD     0987        asd
 2/3/2012      DEF           NULL     NULL      ZENG    NULL         NULL     NULL        NULL
 5/5/2012      ACFD          1205     NULL      NULL    soemthing    NULL     NULL        NULL

the some of the field above is null and i only want to display the column that is not null..
i am thinking create a new field to display the "_diff" .. and inside the _diff append the filed changed + the value
the ideal search result is like this..

Action Date | ApprOfficer |_diff
1/2/2011      ABC          Mail_diff--1234 opt_diff--ABCB RC_diff--LEFD Role_diff--0987 Box_diff--asd
2/3/2012      DEF          opt_diff--ZENG
5/5/2012      ACFD         ID_diff-- 1205 Name_diff--soemthing

Really appreciate if someone can give me some guidance for splunk search.. i am newbie to this application!!!

I actually try this

eval diff=if(ID_diff !="NULL" "ID_diff --".ID_diff."Mail_diff --".Mail_diff, Mail_diff) then continue. for the next eval..

sg5258 · ‎06-14-2012

sure of course!!!
here is my solution

  index="post-dept" ActionTaken="UPDATE"| 
eval new = if (Desc_diff != "NULL", "Desc_diff--".Desc_diff,"") | 
eval new1 = if (Mail_diff != "NULL", "Mail_diff--".Mail_diff,"") | 
eval new2 = if (Mgmt_diff != "NULL", "Mgmt_diff--".Mgmt_diff,"") | 
eval new3 = if (GMail_diff != "NULL", "GMail_diff--".GMail_diff,"") | 
eval new4 = if (LMail_diff != "NULL", "LMail_diff--".LMail_diff,"") | 
eval new5 = if (create_data != "NULL", "create_data--".create_data,"") | 
eval Changed=  new." ".new1." ".new2 ." ".new3 ." ".new4 ." ".new5  |table Changed, ActionDate, ActionResult, UpdateOfficer, ApprOfficer,deptDesc

basically, i do if (field1 != "NULL", "field1--".field1, "") then repeatedly do the rest..
then concat all the field 🙂

View solution in original post

sg5258 · ‎06-14-2012

sure of course!!!
here is my solution

  index="post-dept" ActionTaken="UPDATE"| 
eval new = if (Desc_diff != "NULL", "Desc_diff--".Desc_diff,"") | 
eval new1 = if (Mail_diff != "NULL", "Mail_diff--".Mail_diff,"") | 
eval new2 = if (Mgmt_diff != "NULL", "Mgmt_diff--".Mgmt_diff,"") | 
eval new3 = if (GMail_diff != "NULL", "GMail_diff--".GMail_diff,"") | 
eval new4 = if (LMail_diff != "NULL", "LMail_diff--".LMail_diff,"") | 
eval new5 = if (create_data != "NULL", "create_data--".create_data,"") | 
eval Changed=  new." ".new1." ".new2 ." ".new3 ." ".new4 ." ".new5  |table Changed, ActionDate, ActionResult, UpdateOfficer, ApprOfficer,deptDesc

basically, i do if (field1 != "NULL", "field1--".field1, "") then repeatedly do the rest..
then concat all the field 🙂

Lamar · ‎06-14-2012

Can you please post your answer to the problem/issue? It would be much appreciated.

sg5258 · ‎06-13-2012

Hi Kristian,
thanks for the asking..
I think i resolved this problem myself already 🙂

kristian_kolb · ‎06-13-2012

A couple of questions first:
Is your sample what the log file looks like (i.e. 3 events with a header row), or is the sample above just a single event?

Are these columns available to you as extracted fields?

Your eval does not look correct (the if-statement).

/k

condition to display selected field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!