Solved: Use field A if B does not exist

HeinzWaescher · ‎02-17-2014

Hi,

in the past I used a lookup to add the field "price" to my events.
Now there will be a new field "price II" in the eventstructure. In the statistics I would like to tell Splunk to use "price II" if it exists, otherwise use "price"

My idea would be to create a new field "final_price" and use this field for further calculations. But I've no idea what kind of function should be used.

| eval final_price=...

Thanks in advance

Heinz

MuS · ‎02-17-2014

Hi HeinzWaescher,

check the isnotnull() or where function for eval, so you could use something like this:

 YourSearchHere | eval final_price=if(isnotnull(price II),price II,price)

But I'm not sure if this will work for you, because you're using a space in the fieldname. You should avoid spaces in field names and use _ or - instead.

hope this helps ...

cheers, MuS

View solution in original post

martin_mueller · ‎02-17-2014

Here's a shorter version:

... | eval final_price=coalesce(price_II,price) | ..

HeinzWaescher · ‎02-19-2014

This command works fine as well. Thanks!

MuS · ‎02-17-2014

Hi HeinzWaescher,

check the isnotnull() or where function for eval, so you could use something like this:

 YourSearchHere | eval final_price=if(isnotnull(price II),price II,price)

But I'm not sure if this will work for you, because you're using a space in the fieldname. You should avoid spaces in field names and use _ or - instead.

hope this helps ...

cheers, MuS

HeinzWaescher · ‎02-19-2014

Hey,

this works fine! There is no space in the fieldname, it was just a bad example 😉

Thanks!

alacercogitatus · ‎02-17-2014

Splunk has a habit of replacing Spaces with underscores. Your field will probably be "price_II".

Use field A if B does not exist

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...