Solved: Re: IF then problems...

jacqu3sy · ‎04-24-2017

struggling with the following IF statement....

I have a table, and want to create a new field called 'finalclosedtime' which will be populated either by an existing field called 'closedtime' or a string IF one of the other fields contains a value of "New".

I tried this but no joy:

| eval finalclosedtime=if((status_label="New",stringtopopulate)closedtime)

Any ideas? Thanks.

dineshraj9 · ‎04-24-2017

You can form the field this way -

| eval finalclosedtime=if(like(status_label,"%New%"),stringtopopulate,closedtime)

View solution in original post

paulbannister · ‎04-24-2017

Hi There, try it simply as:

| eval finalclosedtime=if(status_label="New", stringtopopulate, closedtime)

jacqu3sy · ‎04-24-2017

Also worked, thanks!

dineshraj9 · ‎04-24-2017

You can form the field this way -

| eval finalclosedtime=if(like(status_label,"%New%"),stringtopopulate,closedtime)

jacqu3sy · ‎04-24-2017

Thats so simple, took me ages trying to get that working! many thanks!

DalJeanis · ‎04-24-2017

Great! Please accept the answer that solved the problem, and upvote any other answers that you found particularly helpful.

dineshraj9 · ‎04-24-2017

no problem 🙂

IF then problems...

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?