Hi,
I have an EVAL statements in two add-ons. The field names are same and the add-on that comes later in alphabetical order, overwrites the value set by earlier add-on. I have tried coalesce with if statement, but not able to solve this problem. In the second add-on when I am checking, looks like the value of the field is null and the one that has been set by the earlier add-on. So seems like there is no way to retain it conditionally, rather than overwriting it.
Kindly suggest a solution. Thank you.
You need to copy the expression used in first add-on to your add-on where you're setting the default value. So you need to use this in your add-on.
EVAL-vendor_product = if(searchmatch("testproduct"),"test","abc")
If your add-on is installed, the first add-on's configuration doesn't apply and there is no verndor_product field available before hand. So when your's is evaluated, it assigns null for vendor_product to events which are not matching your expression.
You need to copy the expression used in first add-on to your add-on where you're setting the default value. So you need to use this in your add-on.
EVAL-vendor_product = if(searchmatch("testproduct"),"test","abc")
If your add-on is installed, the first add-on's configuration doesn't apply and there is no verndor_product field available before hand. So when your's is evaluated, it assigns null for vendor_product to events which are not matching your expression.
Thank you. That's what I wanted to confirm.
These are add-ons you downloaded from Splunk apps or your custom? A suggested by Lisa, either don't use the same named field in two add-ons or remove the EVAL from both the Add-ons and create it in separate add-on/apps.
Hello, Thank you for response. I am trying to create a custom add-on.
So, in the EVAL of the custom add-on which has higher precedence, you include the condition/expression you used in first add-on as well. So that if it's overwrite, it still follows the same expression.
E.g. add-on 1
EVAL-field = <<some expression giving value1>>
add-on 2
EVAL-field = coalesce(<<some expression giving value2>>,<<some expression giving value1>>)
Thank you. I want to check expression for my messages and set a value for field using EVAL if expression is true, and if not, then don't touch the existing field value for other messages. Is that possible?
Did you try like this already
2nd Add-on
EVAL-field = if(<<some_expression evaluate true>>,"SomesValue",field)
If above doesn't work, can you share the EVAL definition that you have in other add-on?
yes I have tried, the field value is null in my add-on. I even checked with isnull(). So when condition is not evaluating to true, it overwrites with null for other messages
Can you share the exact props.conf entry that you have/tried in both the add-on for that field?
In the first add-on which is not mine,
EVAL-vendor_product = "abc"
In my add-on: (comes alphabetically next)
EVAL-vendor_product = if(searchmatch("testproduct"),"test",vendor_product)
Now, "test" is correctly assigned to my messages, but for other messages "abc" is overwritten by null. vendor_product field is removed basically.
My suggestion would be to not use the same field name in two different add-ons.