Solved: eval if isnull hope fill other values

chengyu · ‎04-30-2014

Hi:

My weburl sometim is null, i hope if weburl is null then weburl1 fill to weburl. I'm try "eval n=if(isnull(hostname),weburl1)" but fail, how should i do? Thanks.

index=xx | fillnull value=SSL attack| eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " date " " time " " as Date |strcat " " hostname url " " as weburl | strcat " " host_name url " " as weburl1 | eval n=if(isnull(hostname),weburl1)|stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as LastDate first(Date) as FirstDate values(weburl) as weburl values(weburl1) as weburl1 values(policyid) as policyid values(n) as n by dstip | table srcip,dstip,app,service,LastDate,FirstDate,weburl,weburl1,bandwidth(MB),policyid,n |sort 10 bandwidth(MB) desc

martin_mueller · ‎04-30-2014

You can use coalesce() to use the first value from a list of fields that isn't null:

... | eval weburl = coalesce(weburl, weburl1, weburl2, weburl3, ...) | ...

View solution in original post

martin_mueller · ‎04-30-2014

You can use coalesce() to use the first value from a list of fields that isn't null:

... | eval weburl = coalesce(weburl, weburl1, weburl2, weburl3, ...) | ...

chengyu · ‎04-30-2014

Hi

last modify success, thank guts.
| eval n = coalesce(hostname, host_name) |strcat " " n url " " as weburl3 |...

MuS · ‎04-30-2014

Hi chengyu,

your eval is missing the third argument in the if statement. Try something like this:

eval n=if(isnull(hostname), weburl1, "ThereIsAhostname")

you can use as third argument another field's value or some boolean test like I did.

hope this helps ...

cheers, MuS

eval if isnull hope fill other values

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?