Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add missing value to field in event or record via query

atornes
Path Finder
‎02-03-2012 12:45 PM

I have some events/records in my data that occurred in the past and we have since added some fields that for these events/records, is now null/blank. I'd like to be able to query for these events and add a value to the field just as you can with the | delete operator. Any idea how to do this?

Tags (4)
0 Karma
Reply

lguinn2
Legend
‎02-03-2012 02:17 PM

You cannot add data to any existing event in the index. However, perhaps you could use a lookup table to establish values for these fields when they are null. Hint: don't overwrite existing values with an automatic lookup.

I could say more about lookups, if you could explain a bit about the queries you were considering.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...
Top