Refine your search:

Add missing value to field in event or record via query

0

I have some events/records in my data that occurred in the past and we have since added some fields that for these events/records, is now null/blank. I'd like to be able to query for these events and add a value to the field just as you can with the | delete operator. Any idea how to do this?

asked 03 Feb, 12:45

atornes's gravatar image

atornes
1014
accept rate: 100%

One Answer:
oldestnewestmost voted
0

You cannot add data to any existing event in the index. However, perhaps you could use a lookup table to establish values for these fields when they are null. Hint: don't overwrite existing values with an automatic lookup.

I could say more about lookups, if you could explain a bit about the queries you were considering.

link

answered 03 Feb, 14:17

lguinn's gravatar image

lguinn ♦
3.1k216
accept rate: 24%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×64
×19
×10
×4

Asked: 03 Feb, 12:45

Seen: 333 times

Last updated: 03 Feb, 14:17

Related questions

How do I search for event with null values in fields

Append returning null, then search returns null...?

Not able to see "WebSphere_ProfileName= (null)" and "WebSphere_HostName=(null)" on splunk WebSphere dashboard

Add values of field and create pie

date_* fields are NULL for some data. Why?

Add a comment field to an event

How to add data to an extracted field?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.