Solved: How to replace a field if a specific value is seen

benspader · ‎03-05-2013

I am trying to replace a value in my search. For example if I get host=10.0.0.1 I want to grab the IP from src_ip=192.168.0.1.

Thanks in advance!

yannK · ‎03-05-2013

use an eval, and a condition like : fieldA=if(condition is fulfilled, then use value in Other fieldB, else use the pre-existing value in fieldA)

< my search > | eval IP=if(host=="10.0.0.1",src_ip,IP)

View solution in original post

yannK · ‎03-05-2013

use an eval, and a condition like : fieldA=if(condition is fulfilled, then use value in Other fieldB, else use the pre-existing value in fieldA)

< my search > | eval IP=if(host=="10.0.0.1",src_ip,IP)

benspader · ‎03-05-2013

Thank you yannK! That was very helpful!

cblanton · ‎07-15-2019

I'm trying to do exactly the same thing, but no matter what the value of the Event field, the new field evaluates to the value of MedRepoCloneMergeTimemin and not "na" as expected.

| eval newfield=if(in(Event,"mock"), "na", MedRepoCloneMergeTimemin)

| eval newfield=if(Event == mock, "na", MedRepoCloneMergeTimemin)

What am I missing? thanks for any ideas.

How to replace a field if a specific value is seen

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms