Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two fields into one after if without losing values

ebs
Communicator
‎09-28-2021 04:57 PM

Hi,

I have a uri_path that I want to combine into a single value, and put the combined value back into the original field and I have achieved that with the below search:

index=ping_sandbox uri_path=/as/*/resume/as/authorization
| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri)
| eval uri_path=mvappend(uri, url_path)

However, not every uri_path is /as/*/resume/as/authorization, and when I remove the uri_path search value, all the other uri_path values are gone.

For example, here's 3 values /1 /2 /3, and if I do the above eval statements for /as/*/resume/as/authorization I don't have /1 /2 or /3 anymore.

Does anyone have any advice on how to do the above eval statements while still retaining the rest of the field values? I only want the eval statements applied if /as/*/resume/as/authorization is present as well

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-28-2021 09:48 PM

It looks like you have 2 typos in your SPL

 

| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri_path)
| eval uri_path=mvappend(uri, uri_path)

 

3rd param to if should be uri_path - you had uri

2nd param to mvappend() was url_path, should be uri_path

HOWEVER, you can do this with a single line

| eval uri_path=if(like(uri_path, "/as/%/resume/as/authorization"), mvappend("resume/as/authorization", uri_path), uri_path)

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-28-2021 09:48 PM

It looks like you have 2 typos in your SPL

 

| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri_path)
| eval uri_path=mvappend(uri, uri_path)

 

3rd param to if should be uri_path - you had uri

2nd param to mvappend() was url_path, should be uri_path

HOWEVER, you can do this with a single line

| eval uri_path=if(like(uri_path, "/as/%/resume/as/authorization"), mvappend("resume/as/authorization", uri_path), uri_path)

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-28-2021 05:25 PM

Have you tried this?

index=ping_sandbox uri_path=*
| eval uri=if(like(uri_path, "/as/%/resume/as/authorization"), "resume/as/authorization", uri)
| eval uri_path=mvappend(uri, url_path)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ebs
Communicator
‎09-28-2021 06:16 PM

Yes, but all the field values are overwritten by the uri field value from the eval if

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...