New to Splunk and dbx connect 3.1. I have it mostly working , just one issue. I have a field, lets call it Name, if its value is Null, I want to have a new field called Name_status given the value "no name" and if it has a value I want to change it to "Has name". I want this to be done as the data is being ingested
been trying the case command and the nonull command but I get parameter #1 has not been set every time . Stuff I have tried
CASE WHEN len(Name)>0 then 'Has Name" as Name_status
CASE WHEN Name is not null then Name_status="Has Name"
May I ask you, why you want to create a new field during ingestion time ? You can create new field during search time like
<yourBasesearch> | eval Name_status=if(Name="","No Name","Has Name") so this will create new field
Name_status with values
No Name and
Due to an upgrade the data that is already in the index has the field and all the dashboards use the field. Just thinking it would be easier to do this rather than change all the dashboards. Thanks for your comments.