Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if field exists and bring another field if true

fpedrosa
Engager
‎03-09-2022 04:01 AM

Hi, I have this search:

 

 

| spath 
| rename object.* as *
| spath path=events{} output=events
| stats by timestamp, events, application, event_type, account_id, context.display_name,
| mvexpand events
| eval _raw=events
| kv
| table timestamp, payload.rule_description,  "context.display_name",  account_id, "event_type", "application", "payload.rule_url"
| rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application",  "payload.rule_url" as "URL"

 

 

 
I have a json with multiple `events,  inside this event  I have "payload.rule_description", but, some record, doesn't have this "payload.rule_description" object, so, I don't have the "payload.rule_description".

How can I check if the record has the "payload.rule_description" if not, brings `event_type`  instead?

Tried to use `eval title=if(payload.rule_description, payload.rule_description, event_type)`  doesn't work.

Thanks

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:35 AM

Ahh, right. You have a dot in your field name. In such case (non alphanumerical characters in field name) you have to put the field name in single quotes.

| eval title=coalesce('payload.rule_description',eventtype)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 04:35 AM 
| eval title=coalesce(payload.rule_description,eventtype)
0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:08 AM

Thanks @PickleRick  but didn't work... brings me event_type for all records, even the record with payload.rule_description

fpedrosa_0-1646831301179.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:35 AM

Ahh, right. You have a dot in your field name. In such case (non alphanumerical characters in field name) you have to put the field name in single quotes.

| eval title=coalesce('payload.rule_description',eventtype)
0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:39 AM

Thanks again, unfortunately still the same... here is my search:

| spath 
| rename object.* as *
| spath path=events{} output=events
| stats by timestamp, events, application, event_type, account_id, context.display_name,
| mvexpand events 
| eval _raw=events
| eval title=coalesce('payload.rule_description', event_type) 
| kv
| table timestamp, title,  "context.display_name",  account_id, "event_type", "application", "payload.rule_url"
| rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application",  "payload.rule_url" as "URL"
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 05:52 AM

But you're evaluating this too early. You have to do it after kv. Before kv you don't have values in your fields.

0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 06:06 AM

@PickleRick   do you know how I can get the array index for the json?  for example, with my search, I'll split the `events`  array into a new record, but I need to know the index of the original event, so I can grab it when I'll develop row expansion, to show more data.

Do you know how to do this?

0 Karma
Reply
Solved! Jump to solution

fpedrosa
Engager
‎03-09-2022 05:55 AM

You are right!! Works now! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...