Solved: How to replace specific field value?

kdimaria · ‎08-18-2017

I am trying to replace a specific field. I have a table that is like:

Name Street Zip Note
John Wall 123 hello
.
.
.
So I am basically trying to change the Note column. I was doing like:
eval Note="changed note" WHERE Name="John"
to grab that specific note column and not change all of them but when I try to run that it does not work.

cmerriman · ‎08-18-2017

so you're trying to change the value of the Note column when Name=John?
does this work:

|eval Note=if(Name="John","changed note",Note)

View solution in original post

cmerriman · ‎08-18-2017

so you're trying to change the value of the Note column when Name=John?
does this work:

|eval Note=if(Name="John","changed note",Note)

cblanton · ‎07-24-2019

I'm trying to do this exact same thing but my search doesn't seem to recognize when, for example Name="John." It sets the Z value to Note, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not just not doing the eval all together.

| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)

When X doesn't match, it also returns Z.

cmerriman · ‎07-24-2019

Have you checked that the fields are spelled correctly and capitalized properly and the field value is also correctly spelled/capped? I know it’s silly but it’s critical. The fields and values need to exist and need to be exact. Do you have example data?

kdimaria · ‎08-21-2017

Yes that works thank you 🙂

How to replace specific field value?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes