Solved: Re: Calculated Field to replace value of field

jason_hotchkiss · ‎03-20-2023

Hello -

I have a table with the following:

host

HOST	FQDN	DNS_NAME	HOST_MATCH	INDEX
hostalpha	hosta.mydomain.com	hosta	false	index_a
hosta	host	-	true	index_b

Created from the following search:

base_search
| rex field=FQDN ""^(?<DNS_NAME>[^.]+)\..*$"
| fillnull value="-" DNS_NAME
|eval HOST_MATCH="if(host='DNS_NAME',"true","false")

How would I replace the do the following:

1. If HOST != DNS_NAME, Make HOST = DNS_NAME
2. If DNS_NAME = "-" MAKE DNS_NAME = HOST

Thanks!

ITWhisperer · ‎03-20-2023

Just do the evaluations in the opposite order

| eval DNS_NAME=if(DNS_NAME == "-", HOST, DNS_NAME)
| eval HOST=if(HOST != DNS_NAME, DNS_NAME, HOST)

View solution in original post

ITWhisperer · ‎03-20-2023

Just do the evaluations in the opposite order

| eval DNS_NAME=if(DNS_NAME == "-", HOST, DNS_NAME)
| eval HOST=if(HOST != DNS_NAME, DNS_NAME, HOST)

jason_hotchkiss · ‎03-20-2023

@ITWhisperer thank you. I was way overthinking this. Much appreicated!

How to calculate field to replace value of field?

eval

table

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?