Assign value to multiple fields in an event based on single if condition

payl_chdhry — Thu, 22 Jul 2021 13:02:00 GMT

Hi,

I have an use case where I have an if condition involving multiple comparisons. Based on its outcome, I want to re-assign values in multiple fields. Consider below example:

My fields are: A1, B1, C1, A2, B2, C2 and few other fields

I have an if condition and when it is true to assign value as below and if false do nothing:

A1=A2

B1=B2

C1=C2

Now my query is, right now if I want to do this, I would have to write 3 different eval commands like below doing exact same comparisons:

| eval A1=if(<condition>, A2, A1)

| eval B1=if(<condition>, B2, B1)

| eval C1=if(<condition>, C2, C1)

Is there a way so that if I only use if once and when true, all three fields would get assigned value in one go. If there is a way, in terms of performance is above still better, I would be running this for more than hundred thousand records ?

Re: Assign value to multiple fields in an event based on single if condition

ITWhisperer — Thu, 22 Jul 2021 13:41:17 GMT

Is there a direct relationship between the fields e.g. would something like

eval *1=if(condition, *2, *1)

make sense? If so, use foreach (it doesn't stop the multiple evaluations of the condition but at least you only have to write it once).

Is this issue that the condition is complex and you don't want to evaluate it multiple times? If so, would something like

eval set=if(complexcondition,1,0)

eval A1=If(set=1,A2,A1)

etc.

make sense?

Can you combine A1, B1, C1 into a multi-value field and A2, B2, C2 into another mv field and the assign one mv field to the other based on the condition?

topic Re: Assign value to multiple fields in an event based on single if condition in Splunk Search

Assign value to multiple fields in an event based on single if condition

Re: Assign value to multiple fields in an event based on single if condition