Splunk Search

How to populate field B with field A or field B depending if null?

jalo23
Explorer

I can't figure out the correct syntax for the second eval statement or what else I should use instead of eval. I know the second eval statement syntax is incorrect, I am just placing it here so you can understand what I am trying to accomplish.

| eval FieldA=if(like(computername, "ABC%"), "Yes", "No")
| eval FieldB = if FieldA="No", then FieldB = FieldC, else FieldB = FieldA

Thank you!

Labels (4)
Tags (3)
0 Karma

jalo23
Explorer

Thank you, I appreciate your super-fast response! works perfectly!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval FieldB=if(like(computername, "ABC%"), "Yes", FieldC)
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...