Hello,
I'm new with SPL and Splunk, I have a folder that has 3 files, in the first file I have a column called Vblock, in the other two is called vCenter. I want to rename vCenter by Vblock in both files and then I want to replace the Vblock values as follows: when I have Vbc1 I replace it with Vblock1, when I have Vbc2 I replace it with Vblock 2, as I can do that?
I made this request |rename vCenter as Vblock |replace "vbc1" with "Vblock1", "vbc2" with "Vblock2" in Vblock but they do not replace the values of Vblock or I may not know how to check.
Thanks for your help.
The rename
command changes the field name
whereas replace
changes the field value
so you have that part right. You just need some wildcards:
|rename vCenter as Vblock |replace "*vbc1*" with "*Vblock1*", "*vbc2*" with "*Vblock2*" in Vblock
what is the role of the order coalesce
Hi,
You can do something like below,
| eval newfield=colesce(Vblock,vCenter)
| eval newfield=Case(newfield="Vbc1","vblock1",newfield="vbc2","vblock2")
What does the coalesce command mean in this Splunk search?