Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if field exists and bring another field if true

fpedrosa
Engager
‎03-09-2022 04:01 AM

Hi, I have this search:

 

 

| spath 
| rename object.* as *
| spath path=events{} output=events
| stats by timestamp, events, application, event_type, account_id, context.display_name,
| mvexpand events
| eval _raw=events
| kv
| table timestamp, payload.rule_description,  "context.display_name",  account_id, "event_type", "application", "payload.rule_url"
| rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application",  "payload.rule_url" as "URL"

 

 

 
I have a json with multiple `events,  inside this event  I have "payload.rule_description", but, some record, doesn't have this "payload.rule_description" object, so, I don't have the "payload.rule_description".

How can I check if the record has the "payload.rule_description" if not, brings `event_type`  instead?

Tried to use `eval title=if(payload.rule_description, payload.rule_description, event_type)`  doesn't work.

Thanks

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:35 AM

Ahh, right. You have a dot in your field name. In such case (non alphanumerical characters in field name) you have to put the field name in single quotes.

| eval title=coalesce('payload.rule_description',eventtype)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 04:35 AM 
| eval title=coalesce(payload.rule_description,eventtype)
0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:08 AM

Thanks @PickleRick  but didn't work... brings me event_type for all records, even the record with payload.rule_description

fpedrosa_0-1646831301179.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:35 AM

Ahh, right. You have a dot in your field name. In such case (non alphanumerical characters in field name) you have to put the field name in single quotes.

| eval title=coalesce('payload.rule_description',eventtype)
0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:39 AM

Thanks again, unfortunately still the same... here is my search:

| spath 
| rename object.* as *
| spath path=events{} output=events
| stats by timestamp, events, application, event_type, account_id, context.display_name,
| mvexpand events 
| eval _raw=events
| eval title=coalesce('payload.rule_description', event_type) 
| kv
| table timestamp, title,  "context.display_name",  account_id, "event_type", "application", "payload.rule_url"
| rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application",  "payload.rule_url" as "URL"
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:52 AM

But you're evaluating this too early. You have to do it after kv. Before kv you don't have values in your fields.

0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 06:06 AM

@PickleRick   do you know how I can get the array index for the json?  for example, with my search, I'll split the `events`  array into a new record, but I need to know the index of the original event, so I can grab it when I'll develop row expansion, to show more data.

Do you know how to do this?

0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:55 AM

You are right!! Works now! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...