Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename a conditional field?

JohnEGones
Path Finder
‎09-20-2023 05:56 AM

Hi guys,

I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.

 

 

 

Fields:

Device_Name
Device_Interface
SomeField

Pseudocode:

<some query>
| if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX") --> rename Value2 as "This String"
| if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY") --> rename Value2A as "This Other String"

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2023 07:57 AM

Fields have a name and values.  They can be renamed.  Values do not have names so they cannot be renamed.

To change a value of a field, use the eval command to assign a new value.

| eval Device_Interface="x_y_z"

To change selected values of a field, use a condition within the eval.

| eval Device_Interface = if(Device_Interface="foo", "bar", Device_Interface)

Putting the field name in the else clause leaves the value unchanged if the condition is not met.

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-20-2023 08:02 AM 
| eval Device_Interface=case(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX","This String",Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY","This Other String",true(),Device_Interface)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2023 07:24 AM

The rename command can't use conditions, but eval can.

<some query>
| eval "This String" = if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX", Value2, null())
| eval "This Other String" = if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY", Value2A, null())

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

JohnEGones
Path Finder
‎09-20-2023 07:41 AM

Hi Rich (and Giuseppe),

I appreciate the prompt response, I realized that I messed up what I was asking, so some clarification:

 

<some search>
| stats count by Device_Name, Device_Interface, SomeField
| (here I want to rename the field *values* in Device_Interface that match the previous conditions, not rename the fieldname itself.)

So here I am renaming the below field value:
Device_Interface="xyz" ==> Device_Interface="x_y_z"

BEFORE rename (this is a sample line from the stats output):
DeviceName, xyz, someValue

AFTER rename:
DeviceName, x_y_z, someValue

 

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2023 07:57 AM

Fields have a name and values.  They can be renamed.  Values do not have names so they cannot be renamed.

To change a value of a field, use the eval command to assign a new value.

| eval Device_Interface="x_y_z"

To change selected values of a field, use a condition within the eval.

| eval Device_Interface = if(Device_Interface="foo", "bar", Device_Interface)

Putting the field name in the else clause leaves the value unchanged if the condition is not met.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

JohnEGones
Path Finder
‎09-20-2023 08:02 AM

Rich,

Ok, this is it. Thank you.

LOL. Some of this is simple when you see/get it, but SPL's versatility sometimes makes simple things opaque/unobvious to me.

@gcusello 

Hi Giuseppe,

Thank you for your responses as well

Yeah, it is the second one, but I guess I was unsure if it is better to say, do this as a lookup, based on the number of potential renames, or whether it is less effort to just define the conditions to trigger the rename based on the results from the stats output, since it isn't always the case that a specific interface value will populate.

But coming back to original question, I have clarity on how to proceed given Rich's response.

Tags (3)
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2023 07:51 AM

Hi @JohnEGones,

probably there's a terms misunderstanding:

do you want to rename the field name or assign a value to the field based on a condition?

if the first case, please, define the old and the new name to assign to the field and the conditions.

If the second, please define the field to assign the value and the conditions for all the values.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2023 07:12 AM

Hi @JohnEGones,

you have to use eval with if or case, something like this:

<your_seaRCH>
| eval Value2=if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX"),"This String",Value2)
| eval Value2A=if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY"),"This Other String",Value2A)

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...