https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208062#M60660 <P>Try like this (Assuming 'one phone number must and only belongs to one user' is true)</P> <PRE><CODE>your current search giving UserID and phoneNumber field | eventstats values(UserID) as UserForPhone by phoneNumber | eval phoneNumber = UserForPhone. "-" .phoneNumber | fields - UserForPhone </CODE></PRE> Tue, 14 Jun 2016 15:41:04 GMT somesoni2 2016-06-14T15:41:04Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208060#M60658 <P>Suppose that there is a log with two fields, userName and phoneNumber, the structure is like:</P> <P>userName | phoneNumber<BR /> A | 0111<BR /> A | 0222<BR /> | 0111<BR /> B | 0333<BR /> | 0222<BR /> | 0333<BR /> Namely, one phone number must and only belongs to one user. In some events, both two fields would appear but in other events, only phoneNumber field exists.<BR /> My question is, how to correlate each phone number with a particular user name, so that I can understand who has the number without depending on user name fields? I expect the new fields would like this:</P> <P>userName | phoneNumber<BR /> A | A, 0111<BR /> A | A, 0222<BR /> | <STRONG>A, 0111</STRONG><BR /> B | B, 0333<BR /> | <STRONG>A, 0222<BR /> | B, 0333</STRONG></P> <P>It's quite easy if both fields exist in one event:</P> <PRE><CODE>| eval phoneNumber = UserID. "-" .phoneNumber | </CODE></PRE> <P>But how to make this change work for events without userName field?</P> Tue, 14 Jun 2016 06:55:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208060#M60658 Tachines 2016-06-14T06:55:21Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208061#M60659 <P>Do you have any other source of data that will contain the username and their phone number? This sounds like a data quality issue. If you can find that information somewhere else you definitely have some options we can help you with.</P> Tue, 14 Jun 2016 13:12:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208061#M60659 ryanoconnor 2016-06-14T13:12:26Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208062#M60660 <P>Try like this (Assuming 'one phone number must and only belongs to one user' is true)</P> <PRE><CODE>your current search giving UserID and phoneNumber field | eventstats values(UserID) as UserForPhone by phoneNumber | eval phoneNumber = UserForPhone. "-" .phoneNumber | fields - UserForPhone </CODE></PRE> Tue, 14 Jun 2016 15:41:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208062#M60660 somesoni2 2016-06-14T15:41:04Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208063#M60661 <P>That's it! It works well. The only thing is that I guess there are some minor problems in my logs, because sometimes a phone number matches 2 users, which it shouldn't.</P> <P>Could you explain a bit why your answer can apply one to many mapping to all events, and, why it doesn't work if a number points to mutiple names (when this happens, phoneNumber field for that event will disappear actually).</P> <P>Thank you!</P> Wed, 15 Jun 2016 01:14:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-value-of-a-field-with-information-from-another/m-p/208063#M60661 Tachines 2016-06-15T01:14:14Z