index="shantanu" sourcetype="col_csv" | table Name NAME name | eval New_Name=coalesce(name,NAME,Name) Now if you change the seriality of fields name within the coalesce function according to that result will also change take a look. That’s why it will first check at Name field and after Gopal it will find NULL then only it will jump into the next field where it will find Sarada instead of Salim. In the first Name field We have Nibedan and Gopal, both listed in New_Name but Salim from NAME field is not listed in New_Name because within the function we have Name field first. According to that only we are getting results in New_Name, I.e. Here one can see that within the coalesce function seriality of fields is like Name, NAME and name. You can also know about : Comparison and conditional Function: CIDRMATCH Using coalesce function we got one new field New_Name with values of Name, Name and name fields. With eval command we use one function coalesce. Then using the eval command we create a new field called New_Name.Using table command, we have taken three fields called Name, Name and.In the above query “ shantanu” is the index and sourcetype name is “ col_csv”.Part 1: index="shantanu" sourcetype="col_csv" | table Name NAME name | eval New_Name=coalesce(Name,NAME,name) This function is also used for the data-normalization process. But in the last row, we are getting the data for the Message2 field because in the last row Message1 field is null. In the Message field the first 4 rows from the top we are getting the value for the Message1 field because the Message1 field is not null. Coalesce function returns the value of that field which is first not null field. Message1 field contains some value and the Message2 field contain some value. Using coalesce function we got one new field Message with value of Message1 and Message2. ![]() ![]() Then using eval command we create a new field called Message.Using table command, we have taken two fields called Message1 and Message2.In the above query “abc” is the index and sourcetype name is “abc”.We can use this function with the eval command and as a part of eval expressions.Įxample : index="abc" sourcetype="abc" | table Message1,Message2 | eval Message=coalesce(Message1,Message2) | dedup Message This function takes an arbitrary number of arguments and returns the first value that is not NULL. Coalesce is an eval function (Use the eval function to evaluate an expression, based on our events ).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |