Solved: How to replace empty field with specific string ? - Splunk Community

Dashboards & Visualizations

hi,

I have a search like this :

|rest /services/data/indexes splunk_server=local count=0 | search disabled=0 title!=_blocksignature title!=_thefishbucket | rename title AS index | fields index
| lookup indexes.csv index OUTPUT account
| search index=*xxx*

The result is a table like that :

index	account
xxx-aaa
xxx-bbb	D
ccc-xxx

I want to fill empty cell account with "D" account only for index containing "xxx" string.

I tried an eval : | eval account=if(index=="*xxx*","D",account) but it doesn't work.

Can you help me ?

Thanks.

1 Solution

Solution

@mah Try below-

| eval account=if(match(index,"xxx"),"D",account)

View solution in original post

Solution

@mah Try below-

| eval account=if(match(index,"xxx"),"D",account)

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...