Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval to assign a field values of two different fields?

neerajs_81
Builder
‎03-10-2022 12:51 AM

Gentlemen,
How can i use eval  to assign a field  values of 2 different fields ?

In my events, i have 2 fields:  empID and Non-empID .  I want eval to create a new field called identity  and this should have the value of either empID OR Non-empID whichever is present .  Hope i am clear

I tried

 

 

 

eval identity = coalesce (empID , Non-empID )

 

 

 

 but this didn't work.


Any  suggestions ?  Any other way to get this done if eval doesn't do it ?
Eventually i am going to have a table as follows, and the Identity column should consolidate empID / Non-empID whichever is present for that employee record.

identity First Last email
Emp ID      
Non-Emp ID      

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 01:53 AM

Hi @neerajs_81,

yes, the solution is the one of my previous answer: you have to use eval coalesce command :

your_search
| rename "Non-empID" AS Non_empID
| eval identity=coalesce(empID,Non_empID)
| stats values(First) AS First last(Last) As Last BY identity

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 01:04 AM

coalesce should work as you have used it, however, this assume that the "missing" field is null, not just blank. You could try inserting

| eval empID=if(empID="",null(),empID)

Although if you are going to do the comparison, you could try

| eval identity=if(isnull(empID) OR empID="",Non-empID,empID)
Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-10-2022 01:32 AM

@ITWhisperer  thank you. In my case, the missing values are blank .   Basically the folks who don't have either of ID have that value showing as blank <empty> when i output to a table.  

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 12:59 AM

Hi @neerajs_81,

the minus sign "-" sometimes isn't recognized in Splunk field names, Sop I hint to avoid or rename it, in other words:

your_search
| rename "Non-empID" as Non_empID
| eval identity=coalesce(empID,Non_empID )

but I don't understand if you want to take only one value or a multi value, as you said in the question title: using eval and coalesce, you have a single value field not a multi value, could you use some example to describe your need?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-10-2022 01:30 AM

Thank you for responding. Maybe wrong choice of words but here is my use case.
We have some users that either have a empID or Non-empID depending on their role.  Example:

FirstLastempIDNon-empID
John xx1234 
Davexxx 3456


I need to merge/ consolidate both the ID values in a common field "identity" which will be my unique identifier for that user.  So the final result should be like this"

FirstLastidentity
John xx1234
Davexxx3456


Hope this helps ?  

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 01:53 AM

Hi @neerajs_81,

yes, the solution is the one of my previous answer: you have to use eval coalesce command :

your_search
| rename "Non-empID" AS Non_empID
| eval identity=coalesce(empID,Non_empID)
| stats values(First) AS First last(Last) As Last BY identity

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 02:16 AM

Hi @neerajs_81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...