topic Re: Conditional rename using multiple fields in Splunk Search

How to rename a conditional field?

JohnEGones — Wed, 20 Sep 2023 20:10:46 GMT

Hi guys,

I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.

Fields: Device_Name Device_Interface SomeField Pseudocode: <some query> | if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX") --> rename Value2 as "This String" | if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY") --> rename Value2A as "This Other String"

Re: Conditional rename using multiple fields

gcusello — Wed, 20 Sep 2023 14:12:23 GMT

Hi @JohnEGones,

you have to use eval with if or case, something like this:

<your_seaRCH> | eval Value2=if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX"),"This String",Value2) | eval Value2A=if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY"),"This Other String",Value2A)

Ciao.

Giuseppe

Re: Conditional rename using multiple fields

richgalloway — Wed, 20 Sep 2023 14:24:04 GMT

The rename command can't use conditions, but eval can.

<some query> | eval "This String" = if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX", Value2, null()) | eval "This Other String" = if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY", Value2A, null())

Re: Conditional rename using multiple fields

JohnEGones — Wed, 20 Sep 2023 14:43:24 GMT

Hi Rich (and Giuseppe),

I appreciate the prompt response, I realized that I messed up what I was asking, so some clarification:

<some search> | stats count by Device_Name, Device_Interface, SomeField | (here I want to rename the field *values* in Device_Interface that match the previous conditions, not rename the fieldname itself.) So here I am renaming the below field value: Device_Interface="xyz" ==> Device_Interface="x_y_z" BEFORE rename (this is a sample line from the stats output): DeviceName, xyz, someValue AFTER rename: DeviceName, x_y_z, someValue

Re: Conditional rename using multiple fields

gcusello — Wed, 20 Sep 2023 14:51:32 GMT

Hi @JohnEGones,

probably there's a terms misunderstanding:

do you want to rename the field name or assign a value to the field based on a condition?

if the first case, please, define the old and the new name to assign to the field and the conditions.

If the second, please define the field to assign the value and the conditions for all the values.

Ciao.

Giuseppe

Re: Conditional rename using multiple fields

richgalloway — Wed, 20 Sep 2023 14:57:46 GMT

Fields have a name and values. They can be renamed. Values do not have names so they cannot be renamed.

To change a value of a field, use the eval command to assign a new value.

| eval Device_Interface="x_y_z"

To change selected values of a field, use a condition within the eval.

| eval Device_Interface = if(Device_Interface="foo", "bar", Device_Interface)

Putting the field name in the else clause leaves the value unchanged if the condition is not met.

Re: Conditional rename using multiple fields

ITWhisperer — Wed, 20 Sep 2023 15:02:13 GMT

| eval Device_Interface=case(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX","This String",Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY","This Other String",true(),Device_Interface)

Re: Conditional rename using multiple fields

JohnEGones — Wed, 20 Sep 2023 15:02:28 GMT

Rich,

Ok, this is it. Thank you.

LOL. Some of this is simple when you see/get it, but SPL's versatility sometimes makes simple things opaque/unobvious to me.

@gcusello

Hi Giuseppe,

Thank you for your responses as well

Yeah, it is the second one, but I guess I was unsure if it is better to say, do this as a lookup, based on the number of potential renames, or whether it is less effort to just define the conditions to trigger the rename based on the results from the stats output, since it isn't always the case that a specific interface value will populate.

But coming back to original question, I have clarity on how to proceed given Rich's response.