Solved: Concatenating Fields in an Eval If Statement

svercelli · ‎07-25-2016

Been trying to create a new field that adds a leading zero to a field value if that value is lower than 100. I've tried what i would usually but i'm sure I'm missing something obvious.

 eval FLNO=if(FlighNumber<100,"0".FlightNumber,FlightNumber)

svercelli · ‎07-25-2016

You are all gonna be sooo mad but there was a typo and it turns out that was the error. the first FlightNumber was misspelled without the T.

View solution in original post

svercelli · ‎07-25-2016

You are all gonna be sooo mad but there was a typo and it turns out that was the error. the first FlightNumber was misspelled without the T.

javiergn · ‎07-25-2016

Assuming Flight Number is an integer between 1 - 999 and assuming you also want padding for numbers less than 10, see if the following helps:

| eval N = len(tostring(FlightNumber)) 
| eval zeroes = "00".tostring(FlightNumber) 
| eval FLNO = substr(zeroes,N,3)

AlexeyNL · ‎07-25-2016

How about create new field before

your search | eval FlighNumberWithLeadingZero="0".FlightNumber | eval FLNO=if(FlighNumber<100,FlighNumberWithLeadingZero,FlightNumber)

Concatenating Fields in an Eval If Statement

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Concatenating Fields in an Eval If Statement

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)