splunksplunk-query

Splunk Coalesce Function


Hello I'm trying to utilize the coalesce eval function within Splunk. However, the eval function doesn't like fields that have a space in them.

In the past I've gotten around this by utilizing the rename function to change the field with a space in it to a field name without a space. However, that is not working this time for some reason.

Is there alternatives to using fields with spaces in eval statements besides rename trick?

example

base search
|eval test=coalesce(field1,field2)
| rename "space field 1" AS field1, "space field 2" AS field2
| table field1 field2 test

Solution

  • The SPL you shared shows the rename after you attempt to coalesce():

    base search
    | eval test=coalesce(field1,field2)
    | rename "space field 1" AS field1, "space field 2" AS field2
    | table field1 field2 test
    

    Pretty sure what you want is this:

    base search
    | rename "space field 1" AS field1, "space field 2" AS field2
    | eval test=coalesce(field1,field2)
    | table field1 field2 test