Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Two fields (same value), fill in third field

rocarril
Engager
‎02-10-2018 10:21 PM

My dataset has three fields from two different data sources. Two fields are identical (hostnames with different field names). One dataset has a third field that I would like to fill in. Example:

sourcetype . hostname1 computer1 . domain
source1 . host1 . NT1
source1 . host2 NT2
source2 host1
source2 host2

Want to it to be:

sourcetype . hostname1 computer1 . domain
source1 . host1 . host1 NT1
source1 . host2 host2 NT2
source2 host1 host1 NT1
source2 host2 host2 . NT2

Tags (1)
0 Karma
Reply

Kwip
Contributor
‎02-11-2018 09:14 PM

| eval Domain=case(
hostname1="host1" AND computername1="host1", "NT1",
hostname1="host2" AND computername1="host2", "NT2")

Same can achieve via lookup if you have large no of values to be created.

0 Karma
Reply

micahkemp
Champion
‎02-11-2018 08:59 AM

How are the values NT1 and NT2 determined for the last two events in your example output?

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!