Solved: How to replace empty field with specific string ? - Splunk Community

Dashboards & Visualizations

hi,

I have a search like this :

|rest /services/data/indexes splunk_server=local count=0 | search disabled=0 title!=_blocksignature title!=_thefishbucket | rename title AS index | fields index
| lookup indexes.csv index OUTPUT account
| search index=*xxx*

The result is a table like that :

index	account
xxx-aaa
xxx-bbb	D
ccc-xxx

I want to fill empty cell account with "D" account only for index containing "xxx" string.

I tried an eval : | eval account=if(index=="*xxx*","D",account) but it doesn't work.

Can you help me ?

Thanks.

1 Solution

Solution

@mah Try below-

| eval account=if(match(index,"xxx"),"D",account)

View solution in original post

Solution

@mah Try below-

| eval account=if(match(index,"xxx"),"D",account)

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...