How to use "setfields" command to assign the value...

sirching · ‎07-29-2020

I want to use the setfields command to set fieldA to a particular value. That value is located in fieldB. How can I make setfields take the value of the field rather then the field name. setfields fieldA=fieldB sets A to the string "fieldB".

Thanks.

isoutamo · ‎07-29-2020

Hi

I think that eval is better on this case.

eval fieldA = fieldB

is enough to copy fieldB values to fieldA.

r. Ismo

sirching · ‎07-29-2020

My FieldA contains a mixture of 2 values, OSType and Null, total count is 587. My Field B contains 1 value OSType and has a count of 4.

I am trying to set the 587 count of FieldA values to value of the OSType. Based on this scenario, what do you suggest. In the end I want all 587 FieldA values to equal the OSType, thus eliminating the Null value.

Thanks

bowesmana · ‎07-30-2020

Can you post an example of your data. From your description I take it that you want to set fieldA=fieldB where fieldA is null. So, you could do

| eval fieldA=coalesce(fieldA, fieldB)

which will copy fieldB to field A when field A is null.

isoutamo · ‎07-29-2020

Hi

| makeresults
| eval FieldA=split("OStype,,OStype,OStype,,OStype",",")
| mvexpand FieldA
| eval FieldA=nullif(FieldA,"")
| eval FieldB="OStype"
| rename COMMENT as "FieldA are OStype,OStypes and NULL"
| eval FieldA =  FieldB

to4kawa · ‎07-29-2020

| makeresults
| eval FieldA=split("OStype,,OStypes,OStype,,OStype",",")
| mvexpand FieldA
| eval FieldA=nullif(FieldA,"")
| eval FieldB="OStype"
| rename COMMENT as "FieldA are OStype,OStypes and NULL"
| eventstats count(eval(FieldA=FieldB)) as count

stats() eventstats() and chart() can use eval.

How to use "setfields" command to assign the value based on field value rather than field name?

fields

other

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector