Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Set Field=Value when Field not present in some logs

bcarr12
Path Finder
‎08-03-2017 07:10 AM

Hi all,

I am running a search that in some cases has:
Field=Values

In other cases, Field is completely missing from logs (this is expected).

What would be the best way to set Field equal to the Value when one is present, but if the Field does not exist in a given log line, Field should be set to the word "none"?

I've tried the coalesce command, but it doesn't seem to be working - maybe it is just being used incorrectly?
eval NewField=coalesce(Field,"none")

In the above example, NewField is always equal to "none" - even when Field includes a value.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alemarzu
Motivator
‎08-03-2017 07:25 AM

Heya, or try this.

... | fillnull value=none field1,field2,field3

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bcarr12
Path Finder
‎08-03-2017 07:46 AM

Thank you both for your suggestions! alemarzu, fillnull worked great for this!

0 Karma
Reply
Solved! Jump to solution
Solution

alemarzu
Motivator
‎08-03-2017 07:25 AM

Heya, or try this.

... | fillnull value=none field1,field2,field3
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎08-03-2017 07:23 AM

try this:

|eval Field=if(isnull(Field),"none",Field)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...