Assign value to multiple fields in an event based ...

payl_chdhry · ‎07-22-2021

Hi,

I have an use case where I have an if condition involving multiple comparisons. Based on its outcome, I want to re-assign values in multiple fields. Consider below example:

My fields are: A1, B1, C1, A2, B2, C2 and few other fields

I have an if condition and when it is true to assign value as below and if false do nothing:

A1=A2

B1=B2

C1=C2

Now my query is, right now if I want to do this, I would have to write 3 different eval commands like below doing exact same comparisons:

| eval A1=if(<condition>, A2, A1)

| eval B1=if(<condition>, B2, B1)

| eval C1=if(<condition>, C2, C1)

Is there a way so that if I only use if once and when true, all three fields would get assigned value in one go. If there is a way, in terms of performance is above still better, I would be running this for more than hundred thousand records ?

ITWhisperer · ‎07-22-2021

Is there a direct relationship between the fields e.g. would something like

eval *1=if(condition, *2, *1)

make sense? If so, use foreach (it doesn't stop the multiple evaluations of the condition but at least you only have to write it once).

Is this issue that the condition is complex and you don't want to evaluate it multiple times? If so, would something like

eval set=if(complexcondition,1,0)

eval A1=If(set=1,A2,A1)

etc.

make sense?

Can you combine A1, B1, C1 into a multi-value field and A2, B2, C2 into another mv field and the assign one mv field to the other based on the condition?

Assign value to multiple fields in an event based on single if condition

eval

fields

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?