How to use "setfields" command to assign the value...

sirching · ‎07-29-2020

I want to use the setfields command to set fieldA to a particular value. That value is located in fieldB. How can I make setfields take the value of the field rather then the field name. setfields fieldA=fieldB sets A to the string "fieldB".

Thanks.

isoutamo · ‎07-29-2020

Hi

I think that eval is better on this case.

eval fieldA = fieldB

is enough to copy fieldB values to fieldA.

r. Ismo

sirching · ‎07-29-2020

My FieldA contains a mixture of 2 values, OSType and Null, total count is 587. My Field B contains 1 value OSType and has a count of 4.

I am trying to set the 587 count of FieldA values to value of the OSType. Based on this scenario, what do you suggest. In the end I want all 587 FieldA values to equal the OSType, thus eliminating the Null value.

Thanks

bowesmana · ‎07-30-2020

Can you post an example of your data. From your description I take it that you want to set fieldA=fieldB where fieldA is null. So, you could do

| eval fieldA=coalesce(fieldA, fieldB)

which will copy fieldB to field A when field A is null.

isoutamo · ‎07-29-2020

Hi

| makeresults
| eval FieldA=split("OStype,,OStype,OStype,,OStype",",")
| mvexpand FieldA
| eval FieldA=nullif(FieldA,"")
| eval FieldB="OStype"
| rename COMMENT as "FieldA are OStype,OStypes and NULL"
| eval FieldA =  FieldB

to4kawa · ‎07-29-2020

| makeresults
| eval FieldA=split("OStype,,OStypes,OStype,,OStype",",")
| mvexpand FieldA
| eval FieldA=nullif(FieldA,"")
| eval FieldB="OStype"
| rename COMMENT as "FieldA are OStype,OStypes and NULL"
| eventstats count(eval(FieldA=FieldB)) as count

stats() eventstats() and chart() can use eval.

How to use "setfields" command to assign the value based on field value rather than field name?

fields

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms