topic Re: How to check if field exists and bring another field if true in Splunk Search

How to check if field exists and bring another field if true

fpedrosa — Wed, 09 Mar 2022 12:02:35 GMT

Hi, I have this search:

| spath | rename object.* as * | spath path=events{} output=events | stats by timestamp, events, application, event_type, account_id, context.display_name, | mvexpand events | eval _raw=events | kv | table timestamp, payload.rule_description, "context.display_name", account_id, "event_type", "application", "payload.rule_url" | rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application", "payload.rule_url" as "URL"

I have a json with multiple `events, inside this event I have "payload.rule_description", but, some record, doesn't have this "payload.rule_description" object, so, I don't have the "payload.rule_description".

How can I check if the record has the "payload.rule_description" if not, brings `event_type` instead?

Tried to use `eval title=if(payload.rule_description, payload.rule_description, event_type)` doesn't work.

Thanks

Re: How to check if field exists and bring another field if true

PickleRick — Wed, 09 Mar 2022 12:35:11 GMT

| eval title=coalesce(payload.rule_description,eventtype)

Re: How to check if field exists and bring another field if true

fpedrosa — Wed, 09 Mar 2022 13:08:54 GMT

Thanks @PickleRick but didn't work... brings me event_type for all records, even the record with payload.rule_description

Re: How to check if field exists and bring another field if true

PickleRick — Wed, 09 Mar 2022 13:35:49 GMT

Ahh, right. You have a dot in your field name. In such case (non alphanumerical characters in field name) you have to put the field name in single quotes.

| eval title=coalesce('payload.rule_description',eventtype)

Re: How to check if field exists and bring another field if true

fpedrosa — Wed, 09 Mar 2022 13:39:25 GMT

Thanks again, unfortunately still the same... here is my search:

| spath | rename object.* as * | spath path=events{} output=events | stats by timestamp, events, application, event_type, account_id, context.display_name, | mvexpand events | eval _raw=events | eval title=coalesce('payload.rule_description', event_type) | kv | table timestamp, title, "context.display_name", account_id, "event_type", "application", "payload.rule_url" | rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application", "payload.rule_url" as "URL"

Re: How to check if field exists and bring another field if true

PickleRick — Wed, 09 Mar 2022 13:52:45 GMT

But you're evaluating this too early. You have to do it after kv. Before kv you don't have values in your fields.

Re: How to check if field exists and bring another field if true

fpedrosa — Wed, 09 Mar 2022 13:55:25 GMT

You are right!! Works now! Thanks!

Re: How to check if field exists and bring another field if true

fpedrosa — Wed, 09 Mar 2022 14:06:48 GMT

@PickleRick do you know how I can get the array index for the json? for example, with my search, I'll split the `events` array into a new record, but I need to know the index of the original event, so I can grab it when I'll develop row expansion, to show more data.

Do you know how to do this?