Solved: Set Field=Value when Field not present in some log...

bcarr12 · ‎08-03-2017

Hi all,

I am running a search that in some cases has:
Field=Values

In other cases, Field is completely missing from logs (this is expected).

What would be the best way to set Field equal to the Value when one is present, but if the Field does not exist in a given log line, Field should be set to the word "none"?

I've tried the coalesce command, but it doesn't seem to be working - maybe it is just being used incorrectly?
eval NewField=coalesce(Field,"none")

In the above example, NewField is always equal to "none" - even when Field includes a value.

alemarzu · ‎08-03-2017

Heya, or try this.

... | fillnull value=none field1,field2,field3

View solution in original post

bcarr12 · ‎08-03-2017

Thank you both for your suggestions! alemarzu, fillnull worked great for this!

alemarzu · ‎08-03-2017

Heya, or try this.

... | fillnull value=none field1,field2,field3

cmerriman · ‎08-03-2017

try this:

|eval Field=if(isnull(Field),"none",Field)

Set Field=Value when Field not present in some logs

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio