https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433921#M123887 <P>Try this. The new field name will be called <CODE>NewField</CODE> and assumes your field name is <CODE>field</CODE> </P> <PRE><CODE>| eval NewField=if(isnull(Field),"null",'Field') </CODE></PRE> Wed, 29 Aug 2018 12:09:19 GMT skoelpin 2018-08-29T12:09:19Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433919#M123885 <P>Hello,<BR /> I want to create a new field that will take the value of other fields depending of which one is filled.</P> <P>For example, I have 5 fields but only one can be filled at a time. The other fields don't have any value.</P> <PRE><CODE>Field1: Field2: Field3: Field4: Ok Field5: </CODE></PRE> <P>How can I write the eval to check if a field1 is null, take the value of the following field2, if it is also null, take the value of field3 until it reaches the not null field?</P> <P>Thank you.</P> Wed, 29 Aug 2018 09:46:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433919#M123885 lyds 2018-08-29T09:46:46Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433920#M123886 <P>//// I have 5 fields but only one can be filled at a time. The other fields don't have any value ////<BR /> In your search use the fillnull command and assign a value to that field when it is null, then count that value for the field.</P> <PRE><CODE>search Field="*" | fillnull value=NULL | stats count by Field | where count=1 </CODE></PRE> <P>Updated - with coalesce, try this one.. </P> <P><CODE>search Field="*" | eval NewField=coalesce(Field1, Field2, Field3, Field4, Field5) | eval result=if(NewField="Ok", "all good", "some fields are not null")</CODE></P> Wed, 29 Aug 2018 12:05:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433920#M123886 inventsekar 2018-08-29T12:05:09Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433921#M123887 <P>Try this. The new field name will be called <CODE>NewField</CODE> and assumes your field name is <CODE>field</CODE> </P> <PRE><CODE>| eval NewField=if(isnull(Field),"null",'Field') </CODE></PRE> Wed, 29 Aug 2018 12:09:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433921#M123887 skoelpin 2018-08-29T12:09:19Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433922#M123888 <P>Hi @skoelpin ... i think you missed the 5 fields part of the question.. <BR /> --- I have 5 fields but only one can be filled at a time. The other fields don't have any value.</P> Wed, 29 Aug 2018 13:12:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433922#M123888 inventsekar 2018-08-29T13:12:47Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433923#M123889 <P>It's the same exact logic with a case statement... </P> Wed, 29 Aug 2018 13:51:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433923#M123889 skoelpin 2018-08-29T13:51:07Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433924#M123890 <P>I think I'd use the coalesce eval function. It's description is 'This function takes an arbitrary number of arguments and returns the first value that is not NULL.'</P> Thu, 30 Aug 2018 08:05:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433924#M123890 RHASQaL 2018-08-30T08:05:13Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433925#M123891 <P>with coalesce, try this one.. <BR /> <CODE>search Field="*" | eval NewField=coalesce(Field1, Field2, Field3, Field4, Field5) | eval result=if(NewField="Ok", "all good", "some fields are not null")</CODE></P> Thu, 30 Aug 2018 09:26:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433925#M123891 inventsekar 2018-08-30T09:26:03Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433926#M123892 <P>Try <CODE>coalesce</CODE> command </P> <P>eval new_field=coalesce(Field1,Field2,....)</P> <P><A href="https://www.splunk.com/blog/2014/03/21/search-command-coalesce.html">https://www.splunk.com/blog/2014/03/21/search-command-coalesce.html</A> </P> Thu, 30 Aug 2018 21:34:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433926#M123892 nawazns5038 2018-08-30T21:34:23Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433927#M123893 <P>I've used coalesce command, and I get what I wanted to display! </P> <P>Thanks you all for the help!</P> Fri, 31 Aug 2018 11:50:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433927#M123893 lyds 2018-08-31T11:50:54Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433928#M123894 <P>@lyds, If your problem is resolved, please accept an answer to help future readers.</P> Fri, 31 Aug 2018 12:27:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-conditional-eval-to-fill-a-new-field-depending/m-p/433928#M123894 richgalloway 2018-08-31T12:27:17Z