Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Coalesce function not working with extracted field...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poddraj
Explorer
02-19-2020
04:20 AM
Hi,
I am using below simple search where I am using coalesce to test.
index=fios 110788439127166000
| eval check=coalesce(SVC_ID,DELPHI_REQUEST.REQUEST.COMMAND)
| table
DELPHI_REQUEST.REQUEST.COMMAND ,host,SVC_ID,check
|rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND"
I am getting below output where coalesce is not printing the value of field DELPHI_REQUEST.REQUEST.COMMAND instead it is printing null value.
COMMAND host SVC_ID check
------------------------------------------------------------------------------------------
GET_TOPOLOGY dlfdam1
GET_TOPOLOGY dlfdam1
However, if I use below query coalesce is working fine.
index=fios 110788439127166000
| eval check=coalesce(SVC_ID,host)
| table DELPHI_REQUEST.REQUEST.COMMAND ,host,SVC_ID,check
|rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND"
COMMAND host SVC_ID check
----------------------------------------------------------------------------------------
GET_TOPOLOGY dlfdam1 dlfdam1
GET_TOPOLOGY dlfdam1 dlfdam1
Can someone let me understand why it is not working with extracted fields and working with host field
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PavelP
Motivator
02-19-2020
08:51 AM
try to first rename then coalesce
index=fios 110788439127166000
|rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND"
| eval check=coalesce(SVC_ID,COMMAND)
| table COMMAND ,host,SVC_ID,check
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PavelP
Motivator
02-19-2020
08:51 AM
try to first rename then coalesce
index=fios 110788439127166000
|rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND"
| eval check=coalesce(SVC_ID,COMMAND)
| table COMMAND ,host,SVC_ID,check
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poddraj
Explorer
02-19-2020
10:33 PM
Thanks it worked. What I observed is due to . in my field name it is not working with coalesce function if I use same name replacing . with _ it is working like below
index=fios 110788439127166000
|rename DELPHI_REQUEST.REQUEST.COMMAND as "DELPHI_REQUEST_REQUEST_COMMAND"
| eval check=coalesce(SVC_ID,DELPHI_REQUEST_REQUEST_COMMAND)
| table DELPHI_REQUEST_REQUEST_COMMAND,host,SVC_ID,check
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
isoutamo
SplunkTrust
02-20-2020
09:25 AM
Or you can try to use ‘FIELD.NAME’ instead of FIELD.NAME.
Get Updates on the Splunk Community!
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!
Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...
Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
