Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to add a value to a fieldvalue if a certain field exists?

avoelk
Communicator
‎09-07-2021 12:54 AM

Hello everyone!

I struggle to find a way to add a value (for example 1) to a fieldvalue in case a certain field exists. Let's say this certain field is fieldx and it only exists and has a value, when you specifically block a port. After you've unblocked it, the field disappears.

what I'm currently looking at is a maxvalue of a field (for example the highest destination port number) so I go 


index=firewall destport=*
|stats max(destport) as max_port

now I have my highest destination port. let's say it's 65000 

 

what I'm now trying to accomplish is, that, if this port is currently blocked and the fieldx=blocked appears, I want to add a 1 to the max_port value -> 65001 and otherwise leave it be.

I've tried an eval if  like that:

|eval maxport=if(isnotnull(fieldx),max_port+1,max_port)

 

but it doesn't work. do I have something wrong? 

ps: in reality I don't know what the value of the fieldx is, so I can't just if(fieldx==blocked,...). but since the field only appears if there is a value in it to begin with, I would use that to my advantage.

 

also, is it possible to add the +1 only for a certain period of time ? for example add +1 to the value as long as it is in a two week frame ? 

 

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2021 01:08 AM

Are you sure you're calling isnotnull on the right field? From what you describe you'd rather need

|eval maxport=if(isnotnull(fieldx),max_port+1,max_port)

And are you sure that you want a new column maxport or do you want to overwrite max_port?

0 Karma
Reply

avoelk
Communicator
‎09-07-2021 01:24 AM

True! tnx, I edited my question. I meant to put fieldx in it, not max_port.
actually I want to overwrite maxport, the new field was just to show whether my eval works or not (it doesn't). 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2021 02:35 AM

Well... should work

| makeresults
| eval port=123 
| eval port=if(isnotnull(fieldx),port+1,port)

Gives you port 123

| makeresults
| eval port=123 
| eval fieldx="whatever"
| eval port=if(isnotnull(fieldx),port+1,port)

Gives 124.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...