Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to replace specific field value?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kdimaria
Communicator
08-18-2017
08:33 AM
I am trying to replace a specific field. I have a table that is like:
Name Street Zip Note
John Wall 123 hello
.
.
.
So I am basically trying to change the Note column. I was doing like:
eval Note="changed note" WHERE Name="John"
to grab that specific note column and not change all of them but when I try to run that it does not work.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
08-18-2017
09:26 AM
so you're trying to change the value of the Note column when Name=John?
does this work:
|eval Note=if(Name="John","changed note",Note)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
08-18-2017
09:26 AM
so you're trying to change the value of the Note column when Name=John?
does this work:
|eval Note=if(Name="John","changed note",Note)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cblanton
Communicator
07-24-2019
02:41 PM
I'm trying to do this exact same thing but my search doesn't seem to recognize when, for example Name="John." It sets the Z value to Note, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not just not doing the eval all together.
| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
When X doesn't match, it also returns Z.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
07-24-2019
05:59 PM
Have you checked that the fields are spelled correctly and capitalized properly and the field value is also correctly spelled/capped? I know it’s silly but it’s critical. The fields and values need to exist and need to be exact. Do you have example data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kdimaria
Communicator
08-21-2017
07:10 AM
Yes that works thank you 🙂
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
