Solved: Re: How do I use a field with a dash (-) in an "if...

jwhughes58 · ‎10-05-2018

I get a minus error if the search if looks like this:

index=my_index sourcetype=my_sourcetype
| eval my_field = if (isnotnull(my_field), my_field_2, my.field-2)

I can work around it my changing the SPL to

index=my_index sourcetype=my_sourcetype
| rename my.field-1 AS my_field_1
| eval my_field = if (isnotnull(my_field), my_field_2, my.field-1)

I tried quoting, but the value of my_field became "my.field-2" and not the value. Is there a way of escaping my.field-1 in the "if" so it reads the contents or will I have to use a rename?

TIA,
Joe

493669 · ‎10-05-2018

try single quote around field name like 'my.field-2'

View solution in original post

493669 · ‎10-05-2018

try single quote around field name like 'my.field-2'

jwhughes58 · ‎10-05-2018

I thought I had tried that, but it looks like I didn't since it worked.

493669 · ‎10-05-2018

glad it worked 😉

How do I use a field with a dash (-) in an "if" search?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How do I use a field with a dash (-) in an "if" search?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?