Solved: eval if blank field

jacqu3sy · ‎04-10-2019

Hi,

Can I use multiple field values to substitute a blank value?

Currently have;

| eval final_destination = if(destination="", dest_ip, destination)\

How would I add additional fields to this command? so that if dest_ip was also blank, use dest_device instead?

harsmarvania57 · ‎04-10-2019

Hi,

Try below query

<yoursearch>
| eval final_destination = if(destination="", if(dest_ip="", dest_device, dest_ip), destination)

harsmarvania57 · ‎04-10-2019

Hi,

Try below query

<yoursearch>
| eval final_destination = if(destination="", if(dest_ip="", dest_device, dest_ip), destination)

jacqu3sy · ‎04-10-2019

star! thanks.

eval if blank field