Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update my case statement to preserve original field contents

splunker1981
Path Finder
‎04-24-2018 12:01 PM

Hello Splunk experts,

Not sure if I'm going about this the right way, but I'd like to store contents of multiple fields in 1 field using an eval statement. I will be testing one of the fields against a specific string and the two other fields (json) I'd like to just store the current values if the they aren't null. Meaning I just want them to be added to the analysis_proposal field. Again, not sure if case is the best way to achieve this but any help would be really appreciated.

| eval analysis_proposal =
    case(
             isnotnull(field1) and field1=="my field 1 test.", "legacy",
             isnotnull(field10.contents), field10.contents,
             isnotnull(field20.contents{}), field20.contents{})
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-24-2018 12:31 PM

The case command would only execute expression where the condition is matched. If you want to process all three conditions, try this:

...| eval analysis_proposal=if(  isnotnull(field1) and field1=="my field 1 test.", analysis_proposal."legacy", analysis_proposal)
| eval analysis_proposal=if(  isnotnull(field10.contents) , analysis_proposal.'field10.contents' , analysis_proposal)
| eval analysis_proposal=if(  isnotnull(field20.contents) , analysis_proposal.'field20.contents', analysis_proposal)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-24-2018 12:31 PM

The case command would only execute expression where the condition is matched. If you want to process all three conditions, try this:

...| eval analysis_proposal=if(  isnotnull(field1) and field1=="my field 1 test.", analysis_proposal."legacy", analysis_proposal)
| eval analysis_proposal=if(  isnotnull(field10.contents) , analysis_proposal.'field10.contents' , analysis_proposal)
| eval analysis_proposal=if(  isnotnull(field20.contents) , analysis_proposal.'field20.contents', analysis_proposal)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...