Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if field exists and bring another field if true

fpedrosa
Engager
‎03-09-2022 04:01 AM

Hi, I have this search:

 

 

| spath 
| rename object.* as *
| spath path=events{} output=events
| stats by timestamp, events, application, event_type, account_id, context.display_name,
| mvexpand events
| eval _raw=events
| kv
| table timestamp, payload.rule_description,  "context.display_name",  account_id, "event_type", "application", "payload.rule_url"
| rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application",  "payload.rule_url" as "URL"

 

 

 
I have a json with multiple `events,  inside this event  I have "payload.rule_description", but, some record, doesn't have this "payload.rule_description" object, so, I don't have the "payload.rule_description".

How can I check if the record has the "payload.rule_description" if not, brings `event_type`  instead?

Tried to use `eval title=if(payload.rule_description, payload.rule_description, event_type)`  doesn't work.

Thanks

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:35 AM

Ahh, right. You have a dot in your field name. In such case (non alphanumerical characters in field name) you have to put the field name in single quotes.

| eval title=coalesce('payload.rule_description',eventtype)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 04:35 AM 
| eval title=coalesce(payload.rule_description,eventtype)
0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:08 AM

Thanks @PickleRick  but didn't work... brings me event_type for all records, even the record with payload.rule_description

fpedrosa_0-1646831301179.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:35 AM

Ahh, right. You have a dot in your field name. In such case (non alphanumerical characters in field name) you have to put the field name in single quotes.

| eval title=coalesce('payload.rule_description',eventtype)
0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:39 AM

Thanks again, unfortunately still the same... here is my search:

| spath 
| rename object.* as *
| spath path=events{} output=events
| stats by timestamp, events, application, event_type, account_id, context.display_name,
| mvexpand events 
| eval _raw=events
| eval title=coalesce('payload.rule_description', event_type) 
| kv
| table timestamp, title,  "context.display_name",  account_id, "event_type", "application", "payload.rule_url"
| rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application",  "payload.rule_url" as "URL"
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:52 AM

But you're evaluating this too early. You have to do it after kv. Before kv you don't have values in your fields.

0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 06:06 AM

@PickleRick   do you know how I can get the array index for the json?  for example, with my search, I'll split the `events`  array into a new record, but I need to know the index of the original event, so I can grab it when I'll develop row expansion, to show more data.

Do you know how to do this?

0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:55 AM

You are right!! Works now! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...