Solved: How to evaluate multiple fields to create new fiel...

raysonjoberts · ‎07-28-2022

I am trying to create a logic to choose a value to use from multiple fields based on a priority I can define. I have 3 fields which may have values in them and I want to create a 4th field to represent the best best choice of the 3.

I always trust field3 more than field2 and always trust field2 more than field1. I want the logic to be -

- if field3 has value, always use it
-if field3 has no value, use field2's value
-if field3 and field2 have no values, use field1's value
- if fields3, 2 and 1 all have no values, leave blank (or "unknown", etc.)

These are 3 examples of what this may look like and what I want to see field4 be based on the presence of values in the other fields.

Example 1
field1=<value1>
field2=<value2>
field3=<value3>
field4=<value3>

Example 2
field1=<value1>
field2=<value2>
field3=
field4=<value2>

Example3
field1=<value1>
field2=
field3=
field4=<value1>

I feel like this is probably a pretty pretty simple eval command, but I can't seem to find an example.

Thank you in advance!

ITWhisperer · ‎07-28-2022

Try something like this

| eval field4=coalesce(field3, field2, field1)

View solution in original post

raysonjoberts · ‎07-28-2022

I knew it was easy 😉

Thank you!

ITWhisperer · ‎07-28-2022

Try something like this

| eval field4=coalesce(field3, field2, field1)

How to evaluate multiple fields to create new field based on priority?

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?