Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass a value to a non existent field/null?

villnooB
Explorer
‎01-23-2023 03:16 AM

Is it possible to assign a value to a different fields. I am trying to combine two different events but the same index. The other one has the field which I needed ip address while the other one doesn't have it in the raw logs. Is it possible to assign/pass the value to the other?

 

date name description ip
1/15/2023 12:05 xxx this is test 1 192.x.x.x
1/15/2023 12:06 xxx this is test 2  
1/15/2023 12:06 xxx this is test 1 192.x.x.x

 

I tried using eval and passing the data but it fails. Using fill null values and assigning the a fix value doesn't fix it. it should be based from the IP above or within that same date

Thanks you in advance for any advice

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2023 04:39 AM

Hi @villnooB,

what is the logic to assign the IP address to the empty field?

if it's fixed, you can use eval.

If you want to take it by the value of other events, you have to aggregate events and separate them:

<your_search
| eval event=date."|".description
| stats values(event) AS event values(ip) AS ip BY name
| mvexpand event
| rex field=event "^(?<date>[^\|]+)\|(?<description>.*)"
| table date name description ip

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

villnooB
Explorer
‎01-23-2023 07:01 AM

Thank you all , this guided me to the right direction

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-23-2023 05:17 AM

To fill from above (assuming your events are in the right order), try this

| filldown ip

To fill from other events with the same key value e.g. name, try this

| eventstats values(ip) as ip by name
Reply
Solved! Jump to solution

MYilmaz
Explorer
‎01-23-2023 04:46 AM

Hi @villnooB 


you can add the following search to the end of your own search.

| autoregress ip 
| eval ip=coalesce(ip,ip_p1) 
| fields - *p1

 

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2023 04:39 AM

Hi @villnooB,

what is the logic to assign the IP address to the empty field?

if it's fixed, you can use eval.

If you want to take it by the value of other events, you have to aggregate events and separate them:

<your_search
| eval event=date."|".description
| stats values(event) AS event values(ip) AS ip BY name
| mvexpand event
| rex field=event "^(?<date>[^\|]+)\|(?<description>.*)"
| table date name description ip

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...