![]() ![]() Is this correct? The reason I'm asking is because I see a "Compliant" field and a "NonCompliant" field in the foreach command, and I'm not sure how they come into play. I'm operating under the assumption that we're working with these two fields for this search: Another option is to create a separate row for each users start and end date: eval periodsmvzip (startdate, enddate) // create multi-value field for with pairs of comma separated dates mvexpand periods // separate each pair into separate events makemv periods delim',' // separate the pair into a multi-value eval startdatemvindex. These should just be combined into a single field. Only one field is ever populated at any one time so it is a bit redundant to have two fields that hold very similar information. The reason it fails to recognize count of statusCategory="Fail" is because the search pipe and the stats pipe removes all instances of fail statuses from the data. I have two fields I would like to combine into one field. If the destination field matches to an already existing field name, then it overwrites the value of the matched field with the eval expression’s result. Ive had the most success combining two fields the following way eval CombinedName Field1+ Field2+ Field3 If you want to combine it by putting in some fixed text the following can be done eval CombinedNameField1+ Field2+ Field3+ 'fixedtext' +Field5,Ive had the most success in combining two fie. Hello again rashi! No problem at all, it is my intention to help out however I can. Concatenation of 2 fields - help This seems like a super simple question but who knows :) I’d like to take fieldA which contains ABC and fieldB which contains 123. In the simplest words, the Splunk eval command can be used to calculate an expression and puts the value into a destination field. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |