All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk DB Connect: Create a New Field based on an existing fields value at ingestion time

jerrythoms
Explorer
‎12-19-2017 12:03 PM

New to Splunk and dbx connect 3.1. I have it mostly working , just one issue. I have a field, lets call it Name, if its value is Null, I want to have a new field called Name_status given the value "no name" and if it has a value I want to change it to "Has name". I want this to be done as the data is being ingested

been trying the case command and the nonull command but I get parameter #1 has not been set every time . Stuff I have tried

CASE WHEN len(Name)>0 then 'Has Name" as Name_status

CASE WHEN Name is not null then Name_status="Has Name"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FritzWittwer_ol
Contributor
‎12-20-2017 04:00 AM

I would solve this in the SQL query which gets the data. During ingestion you can do this only with a transforms using a regex

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FritzWittwer_ol
Contributor
‎12-20-2017 04:00 AM

I would solve this in the SQL query which gets the data. During ingestion you can do this only with a transforms using a regex

0 Karma
Reply
Solved! Jump to solution

jerrythoms
Explorer
‎12-20-2017 04:46 AM

Thanks for your comments. Yes I want to do this in the SQL query that is in the DBX input. I just can't seem to get it to work.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-19-2017 09:50 PM

Hi @jerrythoms,

May I ask you, why you want to create a new field during ingestion time ? You can create new field during search time like <yourBasesearch> | eval Name_status=if(Name="","No Name","Has Name") so this will create new field Name_status with values No Name and Has Name

0 Karma
Reply
Solved! Jump to solution

jerrythoms
Explorer
‎12-20-2017 04:32 AM

Due to an upgrade the data that is already in the index has the field and all the dashboards use the field. Just thinking it would be easier to do this rather than change all the dashboards. Thanks for your comments.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...