I have an EVAL statements in two add-ons. The field names are same and the add-on that comes later in alphabetical order, overwrites the value set by earlier add-on. I have tried coalesce with if statement, but not able to solve this problem. In the second add-on when I am checking, looks like the value of the field is null and the one that has been set by the earlier add-on. So seems like there is no way to retain it conditionally, rather than overwriting it.
Kindly suggest a solution. Thank you.
These are add-ons you downloaded from Splunk apps or your custom? A suggested by Lisa, either don't use the same named field in two add-ons or remove the EVAL from both the Add-ons and create it in separate add-on/apps.
So, in the EVAL of the custom add-on which has higher precedence, you include the condition/expression you used in first add-on as well. So that if it's overwrite, it still follows the same expression.
E.g. add-on 1
EVAL-field = <<some expression giving value1>>
EVAL-field = coalesce(<<some expression giving value2>>,<<some expression giving value1>>)
Thank you. I want to check expression for my messages and set a value for field using EVAL if expression is true, and if not, then don't touch the existing field value for other messages. Is that possible?
Did you try like this already
EVAL-field = if(<<some_expression evaluate true>>,"SomesValue",field)
If above doesn't work, can you share the EVAL definition that you have in other add-on?
yes I have tried, the field value is null in my add-on. I even checked with isnull(). So when condition is not evaluating to true, it overwrites with null for other messages
In the first add-on which is not mine,
EVAL-vendor_product = "abc"
In my add-on: (comes alphabetically next)
EVAL-vendorproduct = if(searchmatch("testproduct"),"test",vendorproduct)
Now, "test" is correctly assigned to my messages, but for other messages "abc" is overwritten by null. vendor_product field is removed basically.