Hi HeinzWaescher,
you could setup an eval-based statement in props.conf :
EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the value of the output
to <fieldname>. This creates a "calculated field."
* When multiple EVAL-* statements are specified, they behave as if
they are run in parallel, rather than in any particular sequence.
For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x"
will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.
* Splunk processes calculated fields after field extraction and field aliasing but before
lookups. This means that:
* You can use a field alias in the eval statement for a calculated field.
* You cannot use a field added through a lookup in an eval statement for a calculated
field.
The eval could look like this:
EVAL-amount = if(isnull(amount), "100" , amount)
This is untested so maybe you need to adapt it to your needs
cheers, MuS
... View more