https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566088#M197257 <P>Are you sure you're calling isnotnull on the right field? From what you describe you'd rather need</P><PRE>|eval maxport=if(isnotnull(fieldx),max_port+1,max_port)</PRE><P>And are you sure that you want a new column <EM>maxport</EM> or do you want to overwrite <EM>max_port</EM>?</P> Tue, 07 Sep 2021 08:08:41 GMT PickleRick 2021-09-07T08:08:41Z https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566081#M197254 <P>Hello everyone!</P><P>I struggle to find a way to add a value (for example 1) to a fieldvalue in case a certain field exists. Let's say this certain field is fieldx and it only exists and has a value, when you specifically block a port. After you've unblocked it, the field disappears.</P><P>what I'm currently looking at is a maxvalue of a field (for example the highest destination port number) so I go&nbsp;</P><P><BR /><STRONG>index=firewall destport=*</STRONG><BR /><STRONG>|stats max(destport) as max_port</STRONG></P><P>now I have my highest destination port. let's say it's 65000&nbsp;</P><P>&nbsp;</P><P>what I'm now trying to accomplish is, that, if this port is currently blocked and the fieldx=blocked appears, I want to add a 1 to the max_port value -&gt; 65001 and otherwise leave it be.<BR /><BR />I've tried an eval if&nbsp; like that:</P><P><STRONG>|eval maxport=if(isnotnull(fieldx),max_port+1,max_port)</STRONG></P><P>&nbsp;</P><P>but it doesn't work. do I have something wrong?&nbsp;</P><P>ps: in reality I don't know what the value of the fieldx is, so I can't just if(fieldx==blocked,...). but since the field only appears if there is a value in it to begin with, I would use that to my advantage.</P><P>&nbsp;</P><P>also, is it possible to add the +1 only for a certain period of time ? for example add +1 to the value as long as it is in a two week frame ?&nbsp;</P><P>&nbsp;</P> Tue, 07 Sep 2021 09:08:48 GMT https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566081#M197254 avoelk 2021-09-07T09:08:48Z https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566088#M197257 <P>Are you sure you're calling isnotnull on the right field? From what you describe you'd rather need</P><PRE>|eval maxport=if(isnotnull(fieldx),max_port+1,max_port)</PRE><P>And are you sure that you want a new column <EM>maxport</EM> or do you want to overwrite <EM>max_port</EM>?</P> Tue, 07 Sep 2021 08:08:41 GMT https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566088#M197257 PickleRick 2021-09-07T08:08:41Z https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566092#M197260 <P>True! tnx, I edited my question. I meant to put fieldx in it, not max_port.<BR />actually I want to overwrite maxport, the new field was just to show whether my eval works or not (it doesn't).&nbsp;</P> Tue, 07 Sep 2021 08:26:52 GMT https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566092#M197260 avoelk 2021-09-07T08:26:52Z https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566101#M197266 <P>Well... should work</P><LI-CODE lang="markup">| makeresults | eval port=123 | eval port=if(isnotnull(fieldx),port+1,port)</LI-CODE><P>Gives you port 123</P><LI-CODE lang="markup">| makeresults | eval port=123 | eval fieldx="whatever" | eval port=if(isnotnull(fieldx),port+1,port)</LI-CODE><P>Gives 124.</P><P>&nbsp;</P> Tue, 07 Sep 2021 09:35:30 GMT https://community.splunk.com/t5/Splunk-Search/how-to-add-a-value-to-a-fieldvalue-if-a-certain-field-exists/m-p/566101#M197266 PickleRick 2021-09-07T09:35:30Z