Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval to assign a field values of two different fields?

neerajs_81
Builder
‎03-10-2022 12:51 AM

Gentlemen,
How can i use eval  to assign a field  values of 2 different fields ?

In my events, i have 2 fields:  empID and Non-empID .  I want eval to create a new field called identity  and this should have the value of either empID OR Non-empID whichever is present .  Hope i am clear

I tried

 

 

 

eval identity = coalesce (empID , Non-empID )

 

 

 

 but this didn't work.


Any  suggestions ?  Any other way to get this done if eval doesn't do it ?
Eventually i am going to have a table as follows, and the Identity column should consolidate empID / Non-empID whichever is present for that employee record.

identity First Last email
Emp ID      
Non-Emp ID      

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 01:53 AM

Hi @neerajs_81,

yes, the solution is the one of my previous answer: you have to use eval coalesce command :

your_search
| rename "Non-empID" AS Non_empID
| eval identity=coalesce(empID,Non_empID)
| stats values(First) AS First last(Last) As Last BY identity

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 01:04 AM

coalesce should work as you have used it, however, this assume that the "missing" field is null, not just blank. You could try inserting

| eval empID=if(empID="",null(),empID)

Although if you are going to do the comparison, you could try

| eval identity=if(isnull(empID) OR empID="",Non-empID,empID)
Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-10-2022 01:32 AM

@ITWhisperer  thank you. In my case, the missing values are blank .   Basically the folks who don't have either of ID have that value showing as blank <empty> when i output to a table.  

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 12:59 AM

Hi @neerajs_81,

the minus sign "-" sometimes isn't recognized in Splunk field names, Sop I hint to avoid or rename it, in other words:

your_search
| rename "Non-empID" as Non_empID
| eval identity=coalesce(empID,Non_empID )

but I don't understand if you want to take only one value or a multi value, as you said in the question title: using eval and coalesce, you have a single value field not a multi value, could you use some example to describe your need?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-10-2022 01:30 AM

Thank you for responding. Maybe wrong choice of words but here is my use case.
We have some users that either have a empID or Non-empID depending on their role.  Example:

FirstLastempIDNon-empID
John xx1234 
Davexxx 3456


I need to merge/ consolidate both the ID values in a common field "identity" which will be my unique identifier for that user.  So the final result should be like this"

FirstLastidentity
John xx1234
Davexxx3456


Hope this helps ?  

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 01:53 AM

Hi @neerajs_81,

yes, the solution is the one of my previous answer: you have to use eval coalesce command :

your_search
| rename "Non-empID" AS Non_empID
| eval identity=coalesce(empID,Non_empID)
| stats values(First) AS First last(Last) As Last BY identity

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 02:16 AM

Hi @neerajs_81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top