topic How to replace a field if a specific value is seen in Splunk Search

How to replace a field if a specific value is seen

benspader — Tue, 05 Mar 2013 15:45:22 GMT

I am trying to replace a value in my search. For example if I get host=10.0.0.1 I want to grab the IP from src_ip=192.168.0.1.

Thanks in advance!

Re: How to replace a field if a specific value is seen

yannK — Tue, 05 Mar 2013 15:53:27 GMT

use an eval, and a condition like : fieldA=if(condition is fulfilled, then use value in Other fieldB, else use the pre-existing value in fieldA)

< my search > | eval IP=if(host=="10.0.0.1",src_ip,IP)

Re: How to replace a field if a specific value is seen

benspader — Tue, 05 Mar 2013 16:51:15 GMT

Thank you yannK! That was very helpful!

Re: How to replace a field if a specific value is seen

cblanton — Mon, 15 Jul 2019 23:50:34 GMT

I'm trying to do exactly the same thing, but no matter what the value of the Event field, the new field evaluates to the value of MedRepoCloneMergeTimemin and not "na" as expected.

| eval newfield=if(in(Event,"mock"), "na", MedRepoCloneMergeTimemin)

| eval newfield=if(Event == mock, "na", MedRepoCloneMergeTimemin)

What am I missing? thanks for any ideas.