Solved: How to replace a field if a specific value is seen

benspader · ‎03-05-2013

I am trying to replace a value in my search. For example if I get host=10.0.0.1 I want to grab the IP from src_ip=192.168.0.1.

Thanks in advance!

yannK · ‎03-05-2013

use an eval, and a condition like : fieldA=if(condition is fulfilled, then use value in Other fieldB, else use the pre-existing value in fieldA)

< my search > | eval IP=if(host=="10.0.0.1",src_ip,IP)

View solution in original post

yannK · ‎03-05-2013

use an eval, and a condition like : fieldA=if(condition is fulfilled, then use value in Other fieldB, else use the pre-existing value in fieldA)

< my search > | eval IP=if(host=="10.0.0.1",src_ip,IP)

benspader · ‎03-05-2013

Thank you yannK! That was very helpful!

cblanton · ‎07-15-2019

I'm trying to do exactly the same thing, but no matter what the value of the Event field, the new field evaluates to the value of MedRepoCloneMergeTimemin and not "na" as expected.

| eval newfield=if(in(Event,"mock"), "na", MedRepoCloneMergeTimemin)

| eval newfield=if(Event == mock, "na", MedRepoCloneMergeTimemin)

What am I missing? thanks for any ideas.

How to replace a field if a specific value is seen

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation