Solved: Replace a fields value with it's tag value

jdaivs · ‎05-07-2014

I have a field in my data-set that shows the device name that an event was was generated from. Recently our naming convention was updated and these names where changed. I have tagged the older values with the newer values and I am trying to get the newer value to display instead of the older so that the aggregated results I am trying to pull don't look at the same device twice.

I am not a wiz with sed, rex or eval but I tried adding the following to my query and I get an error stating that the eval function was expecting closing parens.

eval DEVICE_NAME=if(isnotnull(tag),rex DEVICE_NAME mode=sed "s/DEVICE_NAME/tag",DEVICE_NAME)

jdaivs · ‎05-08-2014

Why not this ?

eval DEVICE_NAME=coalesce(tag,DEVICE_NAME)

I moved your comment to the answer section so i can vote it up because it worked. With my fresher mind this morning I realized I was doing the evaluation (including this one) after the aggregation functions which I changed and it worked! Thank you

View solution in original post

jdaivs · ‎05-08-2014

Why not this ?

eval DEVICE_NAME=coalesce(tag,DEVICE_NAME)

I moved your comment to the answer section so i can vote it up because it worked. With my fresher mind this morning I realized I was doing the evaluation (including this one) after the aggregation functions which I changed and it worked! Thank you

somesoni2 · ‎05-07-2014

Why not this ?

eval DEVICE_NAME=coalesce(tag,DEVICE_NAME)

Replace a fields value with it's tag value

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!