Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

IF then problems...

jacqu3sy
Path Finder
‎04-24-2017 03:12 AM

struggling with the following IF statement....

I have a table, and want to create a new field called 'finalclosedtime' which will be populated either by an existing field called 'closedtime' or a string IF one of the other fields contains a value of "New".

I tried this but no joy:

| eval finalclosedtime=if((status_label="New",stringtopopulate)closedtime)

Any ideas? Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎04-24-2017 03:19 AM

You can form the field this way -

| eval finalclosedtime=if(like(status_label,"%New%"),stringtopopulate,closedtime)

View solution in original post

Reply
Solved! Jump to solution

paulbannister
Communicator
‎04-24-2017 03:22 AM

Hi There, try it simply as:

| eval finalclosedtime=if(status_label="New", stringtopopulate, closedtime)

Reply
Solved! Jump to solution

jacqu3sy
Path Finder
‎04-24-2017 05:45 AM

Also worked, thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎04-24-2017 03:19 AM

You can form the field this way -

| eval finalclosedtime=if(like(status_label,"%New%"),stringtopopulate,closedtime)
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
‎04-24-2017 03:33 AM

Thats so simple, took me ages trying to get that working! many thanks!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎04-24-2017 08:41 AM

Great! Please accept the answer that solved the problem, and upvote any other answers that you found particularly helpful.

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎04-24-2017 03:35 AM

no problem 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...