Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace specific field value?

kdimaria
Communicator
‎08-18-2017 08:33 AM

I am trying to replace a specific field. I have a table that is like:

Name Street Zip Note
John Wall 123 hello
.
.
.
So I am basically trying to change the Note column. I was doing like:
eval Note="changed note" WHERE Name="John"
to grab that specific note column and not change all of them but when I try to run that it does not work.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎08-18-2017 09:26 AM

so you're trying to change the value of the Note column when Name=John?
does this work:

|eval Note=if(Name="John","changed note",Note)

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎08-18-2017 09:26 AM

so you're trying to change the value of the Note column when Name=John?
does this work:

|eval Note=if(Name="John","changed note",Note)
Reply
Solved! Jump to solution

cblanton
Communicator
‎07-24-2019 02:41 PM

I'm trying to do this exact same thing but my search doesn't seem to recognize when, for example Name="John." It sets the Z value to Note, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not just not doing the eval all together.

| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)

When X doesn't match, it also returns Z.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-24-2019 05:59 PM

Have you checked that the fields are spelled correctly and capitalized properly and the field value is also correctly spelled/capped? I know it’s silly but it’s critical. The fields and values need to exist and need to be exact. Do you have example data?

0 Karma
Reply
Solved! Jump to solution

kdimaria
Communicator
‎08-21-2017 07:10 AM

Yes that works thank you 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...