Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to replace specific field value?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kdimaria
Communicator
08-18-2017
08:33 AM
I am trying to replace a specific field. I have a table that is like:
Name Street Zip Note
John Wall 123 hello
.
.
.
So I am basically trying to change the Note column. I was doing like:
eval Note="changed note" WHERE Name="John"
to grab that specific note column and not change all of them but when I try to run that it does not work.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
08-18-2017
09:26 AM
so you're trying to change the value of the Note column when Name=John?
does this work:
|eval Note=if(Name="John","changed note",Note)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
08-18-2017
09:26 AM
so you're trying to change the value of the Note column when Name=John?
does this work:
|eval Note=if(Name="John","changed note",Note)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cblanton
Communicator
07-24-2019
02:41 PM
I'm trying to do this exact same thing but my search doesn't seem to recognize when, for example Name="John." It sets the Z value to Note, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not just not doing the eval all together.
| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
When X doesn't match, it also returns Z.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
07-24-2019
05:59 PM
Have you checked that the fields are spelled correctly and capitalized properly and the field value is also correctly spelled/capped? I know it’s silly but it’s critical. The fields and values need to exist and need to be exact. Do you have example data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kdimaria
Communicator
08-21-2017
07:10 AM
Yes that works thank you 🙂
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
