Edit data In Splunk

jokovitch · ‎08-12-2021

I have a data in Splunk like

index="main"

I want to add and change some data

where Fname="fname1" I want to edit that Country = UK and add field of Phone =123

The final data will be

How can I do that?

gcusello · ‎08-12-2021

as @anilchaithu hinted, the correct search should be:

index=main
| eval Country=if(Fname="fname1","UK",Country), Phone=if(Fname="fname1","123","")
| table Fname Phone Country

if it doesn't run, check the fieldname (fields are case sensitive).

If doesn't run, please describe results and what's error.

Ciao.

Giuseppe

anilchaithu · ‎08-12-2021

you can use the below eval command for this task

eval Country = if(Fname="fname1", "UK", Fname), Phone= case(Fname="fname1", "123")

-- Hope this helps

jokovitch · ‎08-12-2021

index="main" |eval Phone= case(Fname="fname1", "123")

I have tried this command , but nothing changed

anilchaithu · ‎08-12-2021

strange, try this.

index="main" | eval Phone= case(like(Fname, "%fname1%", "123")

-- Hope this helps

jokovitch · ‎08-15-2021

You need to change

index="main" | eval Phone= case(like(Fname, "%fname1%", "123")

to

index="main" | eval Phone= case(like(Fname, "%fname1%"), "123")

That still not change the data

Do I need to put this query in another place then New Search screen ? Or maybe is there place that I need to mark to commit this data?

jokovitch · ‎08-22-2021

Do you have any idea how to fix that ?