Solved: eval if blank field - Splunk Community

Splunk Search

Hi,

Can I use multiple field values to substitute a blank value?

Currently have;

| eval final_destination = if(destination="", dest_ip, destination)\

How would I add additional fields to this command? so that if dest_ip was also blank, use dest_device instead?

1 Solution

Solution

Hi,

Try below query

<yoursearch>
| eval final_destination = if(destination="", if(dest_ip="", dest_device, dest_ip), destination)

You can try coalesce function in eval as well, have a look at https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/ConditionalFunctions#coalesce.28X...

View solution in original post

Solution

Hi,

Try below query

<yoursearch>
| eval final_destination = if(destination="", if(dest_ip="", dest_device, dest_ip), destination)

You can try coalesce function in eval as well, have a look at https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/ConditionalFunctions#coalesce.28X...

star! thanks.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...