Splunk Search

Assign value to multiple fields in an event based on single if condition

payl_chdhry
Path Finder

Hi,

I have an use case where I have an if condition involving multiple comparisons. Based on its outcome, I  want to re-assign values in multiple fields. Consider below example:

My fields are: A1, B1, C1, A2, B2, C2 and few other fields

I have an if condition and when it is true to assign value as below and if false do nothing:

A1=A2

B1=B2

C1=C2

 

Now my query is, right now if I want to do this, I would have to write 3 different eval commands like below doing exact same comparisons:

| eval A1=if(<condition>, A2, A1) 

| eval B1=if(<condition>, B2, B1) 

| eval C1=if(<condition>, C2, C1) 

 

Is there a way so that if I only use if once and when true, all three fields would get assigned value in one go. If there is a way, in terms of performance is above still better, I would be running this for more than hundred thousand records ?

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is there a direct relationship between the fields e.g. would something like

eval *1=if(condition, *2, *1)

make sense? If so, use foreach (it doesn't stop the multiple evaluations of the condition but at least you only have to write it once).

Is this issue that the condition is complex and you don't want to evaluate it multiple times? If so, would something like

eval set=if(complexcondition,1,0)

eval A1=If(set=1,A2,A1)

etc.

make sense?

Can you combine A1, B1, C1 into a multi-value field and A2, B2, C2 into another mv field and the assign one mv field to the other based on the condition?

0 Karma
Get Updates on the Splunk Community!

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...