Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eval & coalesce

hagjos43
Contributor
‎11-28-2012 11:28 AM

I'm trying to normalize various user fields within Windows logs. The fields I'm trying to combine are users Users and Account_Name.

My query isn't failing but I don't think I'm quite doing this correctly.

I'm using the string:
| eval allusers=coalesce(users,Users,Account_Name)

Tags (2)
Reply

Ayn
Legend
‎11-29-2012 04:10 AM

coalesce takes a number of fields and returns the first one that is not null. So, if that's the behaviour you want, your query seems fine to me.

Reply

hagjos43
Contributor
‎11-29-2012 03:27 AM

I want to not have duplicates that may exist in both fields.
Jsmith may have logged onto a Win Server 2k3 box and the field is called "users" then he may log onto a win 2k8 box and the field is called "Users" The differences being the uppercase and lowercase "u"

0 Karma
Reply

Ayn
Legend
‎11-28-2012 12:13 PM

Do you want to concatenate those fields or use the first in that list that is not null?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...