Solved: How to Add text to value only if?

marco_massari11 · ‎06-10-2022

Hi,

I have a lookup containing some admin users and I need to add some text like "ADS_" before the username to distinguish them from normal users. I tried:

index=myindex tag=authentication
| lookup Ads.csv Utenza AS username OUTPUT Gruppo
| fillnull value=NULL
| eval username=if(Gruppo="NULL",username, ADS_.username)
| eval action=if(match(details_message,"opened a Web Portal"),"success",action)
| search action=success dest_host!="- -"
| stats count by username
| sort count desc

what I'm missing?

Thanks in advance!

ITWhisperer · ‎06-10-2022

| eval username=if(Gruppo="NULL",username, "ADS_".username)

View solution in original post

ITWhisperer · ‎06-10-2022

| eval username=if(Gruppo="NULL",username, "ADS_".username)

gcusello · ‎06-10-2022

Hi @marco_massari11,

the eval statement isn't correct:

index=myindex tag=authentication
| lookup Ads.csv Utenza AS username OUTPUT Gruppo
| fillnull value=NULL
| eval username=if(Gruppo="NULL",username, "ADS_".username)
| eval action=if(match(details_message,"opened a Web Portal"),"success",action)
| search action=success dest_host!="- -"
| stats count by username
| sort count desc

Ciao.

Giuseppe

How to Add text to value only if?

other

panel

single value

table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!