So currently i have:
|Name | Branch | Age
---------------------------------------------------------
| Tom | USA | 21
| Tom | India | 23
| Pat | India | 26
If someone can please show me how to find the "Tom" matches on the "Name" field and then change the branches to USA for both the toms.
Thanks.
Can you please try this?
YOUR_SEARCH | eventstats values(Branch) as Branches by Name
| eval Branch=if(mvfind(Branches,"USA")>0,"USA",Branch) | fields - Branches
My Sample Search :
| makeresults | eval _raw="Name,Branch,Age
Tom,USA,21
Tom,India,23
Pat,India,26" | multikv forceheader=1
| table Name,Branch,Age | eventstats values(Branch) as Branches by Name
| eval Branch=if(mvfind(Branches,"USA")>0,"USA",Branch) | fields - Branches
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
| eval Branch=if(Name="Tom","USA",Branch)
@ITWhisperer . There are more than just one same Name. like there are more different matching names. I just gave that as an example. Thanks.
I guessed as much so you will have to give more information, for example, do you want all matching names to be USA branch? Do you want all matching names to be the first branch? If so, what determines first?
Yes i would like to have all matching names to be USA branch. @ITWhisperer
| eventstats count by Name
| eval Branch=if(count>1,"USA",Branch)