Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Look for field. If doesn't exist, add

Becherer
Explorer
‎05-17-2021 11:38 AM

I am looking to have a eval search that looks for a field name of "Name" and adds the value. If the field doesn't exist, I want to add a field of "Name" and add "N/A" for the data. 

 

| eval Name = if((like(Name,"*"))),"&Name&","N/A")

 

This might be the wrong way of doing it.

 

Event example #1:

HostnameTimeNameAction
Server0211:22amjdoelogon
Server201:30pmjsmithlogon

 

Event example #2:

HostnameTimeAction 
Workstation10:45amSaved 
Workstation 10012:30pmSaved 

 

 

After the search is run I want the data to look like this.

 

HostnameTimeNameAction
Server0211:22amjdoelogon
Server201:30pmjsmithlogon
Workstation10:45amN/ASave
Workstation 10012:30pmN/ASave
    
Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2021 03:36 PM 
| fillnull value="N/A" Name
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...