Archive

EVAL is overwriting field of other add-on

New Member

Hi,

I have an EVAL statements in two add-ons. The field names are same and the add-on that comes later in alphabetical order, overwrites the value set by earlier add-on. I have tried coalesce with if statement, but not able to solve this problem. In the second add-on when I am checking, looks like the value of the field is null and the one that has been set by the earlier add-on. So seems like there is no way to retain it conditionally, rather than overwriting it.

Kindly suggest a solution. Thank you.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You need to copy the expression used in first add-on to your add-on where you're setting the default value. So you need to use this in your add-on.

EVAL-vendor_product = if(searchmatch("testproduct"),"test","abc")

If your add-on is installed, the first add-on's configuration doesn't apply and there is no verndorproduct field available before hand. So when your's is evaluated, it assigns null for vendorproduct to events which are not matching your expression.

View solution in original post

SplunkTrust
SplunkTrust

You need to copy the expression used in first add-on to your add-on where you're setting the default value. So you need to use this in your add-on.

EVAL-vendor_product = if(searchmatch("testproduct"),"test","abc")

If your add-on is installed, the first add-on's configuration doesn't apply and there is no verndorproduct field available before hand. So when your's is evaluated, it assigns null for vendorproduct to events which are not matching your expression.

View solution in original post

New Member

Thank you. That's what I wanted to confirm.

0 Karma

SplunkTrust
SplunkTrust

These are add-ons you downloaded from Splunk apps or your custom? A suggested by Lisa, either don't use the same named field in two add-ons or remove the EVAL from both the Add-ons and create it in separate add-on/apps.

0 Karma

New Member

Hello, Thank you for response. I am trying to create a custom add-on.

0 Karma

SplunkTrust
SplunkTrust

So, in the EVAL of the custom add-on which has higher precedence, you include the condition/expression you used in first add-on as well. So that if it's overwrite, it still follows the same expression.

E.g. add-on 1

EVAL-field = <<some expression giving value1>>

add-on 2

EVAL-field = coalesce(<<some expression giving value2>>,<<some expression giving value1>>)
0 Karma

New Member

Thank you. I want to check expression for my messages and set a value for field using EVAL if expression is true, and if not, then don't touch the existing field value for other messages. Is that possible?

0 Karma

SplunkTrust
SplunkTrust

Did you try like this already

2nd Add-on

EVAL-field = if(<<some_expression evaluate true>>,"SomesValue",field)

If above doesn't work, can you share the EVAL definition that you have in other add-on?

0 Karma

New Member

yes I have tried, the field value is null in my add-on. I even checked with isnull(). So when condition is not evaluating to true, it overwrites with null for other messages

0 Karma

SplunkTrust
SplunkTrust

Can you share the exact props.conf entry that you have/tried in both the add-on for that field?

0 Karma

New Member

In the first add-on which is not mine,
EVAL-vendor_product = "abc"

In my add-on: (comes alphabetically next)
EVAL-vendorproduct = if(searchmatch("testproduct"),"test",vendorproduct)

Now, "test" is correctly assigned to my messages, but for other messages "abc" is overwritten by null. vendor_product field is removed basically.

0 Karma

Legend

My suggestion would be to not use the same field name in two different add-ons.

0 Karma