Solved: How to replace specific field value?

kdimaria · ‎08-18-2017

I am trying to replace a specific field. I have a table that is like:

Name Street Zip Note
John Wall 123 hello
.
.
.
So I am basically trying to change the Note column. I was doing like:
eval Note="changed note" WHERE Name="John"
to grab that specific note column and not change all of them but when I try to run that it does not work.

cmerriman · ‎08-18-2017

so you're trying to change the value of the Note column when Name=John?
does this work:

|eval Note=if(Name="John","changed note",Note)

View solution in original post

cmerriman · ‎08-18-2017

so you're trying to change the value of the Note column when Name=John?
does this work:

|eval Note=if(Name="John","changed note",Note)

cblanton · ‎07-24-2019

I'm trying to do this exact same thing but my search doesn't seem to recognize when, for example Name="John." It sets the Z value to Note, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not just not doing the eval all together.

| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)

When X doesn't match, it also returns Z.

cmerriman · ‎07-24-2019

Have you checked that the fields are spelled correctly and capitalized properly and the field value is also correctly spelled/capped? I know it’s silly but it’s critical. The fields and values need to exist and need to be exact. Do you have example data?

kdimaria · ‎08-21-2017

Yes that works thank you 🙂

How to replace specific field value?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies