Archive
Highlighted

EVAL is overwriting field of other add-on

New Member

Hi,

I have an EVAL statements in two add-ons. The field names are same and the add-on that comes later in alphabetical order, overwrites the value set by earlier add-on. I have tried coalesce with if statement, but not able to solve this problem. In the second add-on when I am checking, looks like the value of the field is null and the one that has been set by the earlier add-on. So seems like there is no way to retain it conditionally, rather than overwriting it.

Kindly suggest a solution. Thank you.

Tags (1)
0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

Legend

My suggestion would be to not use the same field name in two different add-ons.

0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

SplunkTrust
SplunkTrust

These are add-ons you downloaded from Splunk apps or your custom? A suggested by Lisa, either don't use the same named field in two add-ons or remove the EVAL from both the Add-ons and create it in separate add-on/apps.

0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

New Member

Hello, Thank you for response. I am trying to create a custom add-on.

0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

SplunkTrust
SplunkTrust

So, in the EVAL of the custom add-on which has higher precedence, you include the condition/expression you used in first add-on as well. So that if it's overwrite, it still follows the same expression.

E.g. add-on 1

EVAL-field = <<some expression giving value1>>

add-on 2

EVAL-field = coalesce(<<some expression giving value2>>,<<some expression giving value1>>)
0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

New Member

Thank you. I want to check expression for my messages and set a value for field using EVAL if expression is true, and if not, then don't touch the existing field value for other messages. Is that possible?

0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

SplunkTrust
SplunkTrust

Did you try like this already

2nd Add-on

EVAL-field = if(<<some_expression evaluate true>>,"SomesValue",field)

If above doesn't work, can you share the EVAL definition that you have in other add-on?

0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

New Member

yes I have tried, the field value is null in my add-on. I even checked with isnull(). So when condition is not evaluating to true, it overwrites with null for other messages

0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

SplunkTrust
SplunkTrust

Can you share the exact props.conf entry that you have/tried in both the add-on for that field?

0 Karma
Highlighted

Re: EVAL is overwriting field of other add-on

New Member

In the first add-on which is not mine,
EVAL-vendor_product = "abc"

In my add-on: (comes alphabetically next)
EVAL-vendorproduct = if(searchmatch("testproduct"),"test",vendorproduct)

Now, "test" is correctly assigned to my messages, but for other messages "abc" is overwritten by null. vendor_product field is removed basically.

0 Karma