Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename a conditional field?

JohnEGones
Communicator
‎09-20-2023 05:56 AM

Hi guys,

I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.

 

 

 

Fields:

Device_Name
Device_Interface
SomeField

Pseudocode:

<some query>
| if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX") --> rename Value2 as "This String"
| if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY") --> rename Value2A as "This Other String"

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2023 07:57 AM

Fields have a name and values.  They can be renamed.  Values do not have names so they cannot be renamed.

To change a value of a field, use the eval command to assign a new value.

| eval Device_Interface="x_y_z"

To change selected values of a field, use a condition within the eval.

| eval Device_Interface = if(Device_Interface="foo", "bar", Device_Interface)

Putting the field name in the else clause leaves the value unchanged if the condition is not met.

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-20-2023 08:02 AM 
| eval Device_Interface=case(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX","This String",Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY","This Other String",true(),Device_Interface)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2023 07:24 AM

The rename command can't use conditions, but eval can.

<some query>
| eval "This String" = if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX", Value2, null())
| eval "This Other String" = if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY", Value2A, null())

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

JohnEGones
Communicator
‎09-20-2023 07:41 AM

Hi Rich (and Giuseppe),

I appreciate the prompt response, I realized that I messed up what I was asking, so some clarification:

 

<some search>
| stats count by Device_Name, Device_Interface, SomeField
| (here I want to rename the field *values* in Device_Interface that match the previous conditions, not rename the fieldname itself.)

So here I am renaming the below field value:
Device_Interface="xyz" ==> Device_Interface="x_y_z"

BEFORE rename (this is a sample line from the stats output):
DeviceName, xyz, someValue

AFTER rename:
DeviceName, x_y_z, someValue

 

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2023 07:57 AM

Fields have a name and values.  They can be renamed.  Values do not have names so they cannot be renamed.

To change a value of a field, use the eval command to assign a new value.

| eval Device_Interface="x_y_z"

To change selected values of a field, use a condition within the eval.

| eval Device_Interface = if(Device_Interface="foo", "bar", Device_Interface)

Putting the field name in the else clause leaves the value unchanged if the condition is not met.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

JohnEGones
Communicator
‎09-20-2023 08:02 AM

Rich,

Ok, this is it. Thank you.

LOL. Some of this is simple when you see/get it, but SPL's versatility sometimes makes simple things opaque/unobvious to me.

@gcusello 

Hi Giuseppe,

Thank you for your responses as well

Yeah, it is the second one, but I guess I was unsure if it is better to say, do this as a lookup, based on the number of potential renames, or whether it is less effort to just define the conditions to trigger the rename based on the results from the stats output, since it isn't always the case that a specific interface value will populate.

But coming back to original question, I have clarity on how to proceed given Rich's response.

Tags (3)
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2023 07:51 AM

Hi @JohnEGones,

probably there's a terms misunderstanding:

do you want to rename the field name or assign a value to the field based on a condition?

if the first case, please, define the old and the new name to assign to the field and the conditions.

If the second, please define the field to assign the value and the conditions for all the values.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2023 07:12 AM

Hi @JohnEGones,

you have to use eval with if or case, something like this:

<your_seaRCH>
| eval Value2=if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX"),"This String",Value2)
| eval Value2A=if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY"),"This Other String",Value2A)

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...