Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to replace specific field value?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kdimaria
Communicator
08-18-2017
08:33 AM
I am trying to replace a specific field. I have a table that is like:
Name Street Zip Note
John Wall 123 hello
.
.
.
So I am basically trying to change the Note column. I was doing like:
eval Note="changed note" WHERE Name="John"
to grab that specific note column and not change all of them but when I try to run that it does not work.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
08-18-2017
09:26 AM
so you're trying to change the value of the Note column when Name=John?
does this work:
|eval Note=if(Name="John","changed note",Note)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
08-18-2017
09:26 AM
so you're trying to change the value of the Note column when Name=John?
does this work:
|eval Note=if(Name="John","changed note",Note)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cblanton
Communicator
07-24-2019
02:41 PM
I'm trying to do this exact same thing but my search doesn't seem to recognize when, for example Name="John." It sets the Z value to Note, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not just not doing the eval all together.
| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
When X doesn't match, it also returns Z.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
07-24-2019
05:59 PM
Have you checked that the fields are spelled correctly and capitalized properly and the field value is also correctly spelled/capped? I know it’s silly but it’s critical. The fields and values need to exist and need to be exact. Do you have example data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kdimaria
Communicator
08-21-2017
07:10 AM
Yes that works thank you 🙂
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
