- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like this should be easily done with eval, but it doesn't seem to be working for me!
I have data sets that include lines like this:
1. hostname=Unknown mac=4403a7c31cc0
2. hostname=xxx.yyy.com mac=fc99478bf09d
3. hostname=Unknown mac=689ce2cc3100
In every instance where hostname=Unknown, I want to substitute the value of the mac field for the host name. So, lines 1 and 3 above would have the value of the the mac field instead of "Unknown" as the hostname value. I'm using the below search, but it's replacing every single instance of the hostname with the mac, instead of applying the condition hostname=Unknown -- ideas on where I'm going wrong?
... | eval hostname=if(hostname=="Unknown",mac,hostname)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | eval hostname=if(match(hostname, "^Unknown$"), mac, hostname)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | eval hostname=if(match(hostname, "^Unknown$"), mac, hostname)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hcannon
I noticed you upvoted the comment by @bchung_splunk. Did that answer your question? Can you provide more details or confirm in a comment please so we know if your issue is resolved or not?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran your eval, and got correct results:
hostname mac
689ce2cc3100 689ce2cc3100
xxx.yyy.com fc99478bf09d
4403a7c31cc0 4403a7c31cc0
search string:
source=*t.log | eval hostname=if(hostname=="Unknown",mac,hostname) | table hostname mac
what's version of splunk you're running on?
