topic Re: Eval command for a field to assign multi value fields in Splunk Search

How to use eval to assign a field values of two different fields?

neerajs_81 — Thu, 10 Mar 2022 15:46:46 GMT

Gentlemen,
How can i use eval to assign a field values of 2 different fields ?

In my events, i have 2 fields: empID and Non-empID . I want eval to create a new field called identity and this should have the value of either empID OR Non-empID whichever is present . Hope i am clear

I tried

eval identity = coalesce (empID , Non-empID )

but this didn't work.

Any suggestions ? Any other way to get this done if eval doesn't do it ?
Eventually i am going to have a table as follows, and the Identity column should consolidate empID / Non-empID whichever is present for that employee record.

identity	First	Last	email
Emp ID
Non-Emp ID

Re: Eval command for a field to assign multi value fields

gcusello — Thu, 10 Mar 2022 08:59:09 GMT

Hi @neerajs_81,

the minus sign "-" sometimes isn't recognized in Splunk field names, Sop I hint to avoid or rename it, in other words:

your_search | rename "Non-empID" as Non_empID | eval identity=coalesce(empID,Non_empID )

but I don't understand if you want to take only one value or a multi value, as you said in the question title: using eval and coalesce, you have a single value field not a multi value, could you use some example to describe your need?

Ciao.

Giuseppe

Re: Eval command for a field to assign multi value fields

ITWhisperer — Thu, 10 Mar 2022 09:04:23 GMT

coalesce should work as you have used it, however, this assume that the "missing" field is null, not just blank. You could try inserting

| eval empID=if(empID="",null(),empID)

Although if you are going to do the comparison, you could try

| eval identity=if(isnull(empID) OR empID="",Non-empID,empID)

Re: Eval command for a field to assign multi value fields

neerajs_81 — Thu, 10 Mar 2022 09:30:33 GMT

Thank you for responding. Maybe wrong choice of words but here is my use case.
We have some users that either have a empID or Non-empID depending on their role. Example:

First	Last	empID	Non-empID
John	xx	1234
Dave	xxx		3456

I need to merge/ consolidate both the ID values in a common field "identity" which will be my unique identifier for that user. So the final result should be like this"

First	Last	identity
John	xx	1234
Dave	xxx	3456

Hope this helps ?

Re: Eval command for a field to assign multi value fields

neerajs_81 — Thu, 10 Mar 2022 09:32:54 GMT

@ITWhisperer thank you. In my case, the missing values are blank . Basically the folks who don't have either of ID have that value showing as blank <empty> when i output to a table.

Re: Eval command for a field to assign multi value fields

gcusello — Thu, 10 Mar 2022 09:53:11 GMT

Hi @neerajs_81,

yes, the solution is the one of my previous answer: you have to use eval coalesce command :

your_search | rename "Non-empID" AS Non_empID | eval identity=coalesce(empID,Non_empID) | stats values(First) AS First last(Last) As Last BY identity

Ciao.

Giuseppe

Re: Eval command for a field to assign multi value fields

gcusello — Thu, 10 Mar 2022 10:16:01 GMT

Hi @neerajs_81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉