Splunk Search
Highlighted

Replace a fields value with it's tag value

Explorer

I have a field in my data-set that shows the device name that an event was was generated from. Recently our naming convention was updated and these names where changed. I have tagged the older values with the newer values and I am trying to get the newer value to display instead of the older so that the aggregated results I am trying to pull don't look at the same device twice.

I am not a wiz with sed, rex or eval but I tried adding the following to my query and I get an error stating that the eval function was expecting closing parens.

eval DEVICENAME=if(isnotnull(tag),rex DEVICENAME mode=sed "s/DEVICENAME/tag",DEVICENAME)

Tags (5)
0 Karma
Highlighted

Re: Replace a fields value with it's tag value

SplunkTrust
SplunkTrust

Why not this ?

eval DEVICENAME=coalesce(tag,DEVICENAME)

0 Karma
Highlighted

Re: Replace a fields value with it's tag value

Explorer

Why not this ?

eval DEVICENAME=coalesce(tag,DEVICENAME)


I moved your comment to the answer section so i can vote it up because it worked. With my fresher mind this morning I realized I was doing the evaluation (including this one) after the aggregation functions which I changed and it worked! Thank you

View solution in original post