Gentlemen,
How can i use eval to assign a field values of 2 different fields ?
In my events, i have 2 fields: empID and Non-empID . I want eval to create a new field called identity and this should have the value of either empID OR Non-empID whichever is present . Hope i am clear
I tried
eval identity = coalesce (empID , Non-empID )
but this didn't work.
Any suggestions ? Any other way to get this done if eval doesn't do it ?
Eventually i am going to have a table as follows, and the Identity column should consolidate empID / Non-empID whichever is present for that employee record.
identity | First | Last | |
Emp ID | |||
Non-Emp ID |
Hi @neerajs_81,
yes, the solution is the one of my previous answer: you have to use eval coalesce command :
your_search
| rename "Non-empID" AS Non_empID
| eval identity=coalesce(empID,Non_empID)
| stats values(First) AS First last(Last) As Last BY identity
Ciao.
Giuseppe
coalesce should work as you have used it, however, this assume that the "missing" field is null, not just blank. You could try inserting
| eval empID=if(empID="",null(),empID)
Although if you are going to do the comparison, you could try
| eval identity=if(isnull(empID) OR empID="",Non-empID,empID)
@ITWhisperer thank you. In my case, the missing values are blank . Basically the folks who don't have either of ID have that value showing as blank <empty> when i output to a table.
Hi @neerajs_81,
the minus sign "-" sometimes isn't recognized in Splunk field names, Sop I hint to avoid or rename it, in other words:
your_search
| rename "Non-empID" as Non_empID
| eval identity=coalesce(empID,Non_empID )
but I don't understand if you want to take only one value or a multi value, as you said in the question title: using eval and coalesce, you have a single value field not a multi value, could you use some example to describe your need?
Ciao.
Giuseppe
Thank you for responding. Maybe wrong choice of words but here is my use case.
We have some users that either have a empID or Non-empID depending on their role. Example:
First | Last | empID | Non-empID |
John | xx | 1234 | |
Dave | xxx | 3456 |
I need to merge/ consolidate both the ID values in a common field "identity" which will be my unique identifier for that user. So the final result should be like this"
First | Last | identity |
John | xx | 1234 |
Dave | xxx | 3456 |
Hope this helps ?
Hi @neerajs_81,
yes, the solution is the one of my previous answer: you have to use eval coalesce command :
your_search
| rename "Non-empID" AS Non_empID
| eval identity=coalesce(empID,Non_empID)
| stats values(First) AS First last(Last) As Last BY identity
Ciao.
Giuseppe
Hi @neerajs_81,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉