Splunk: a macro everybody needs: unknownify

262 views

Skip to first unread message

Gregg Woodcock

unread,

Jun 15, 2012, 1:31:50 PM6/15/12

to splunk...@googlegroups.com

I have 2 pairs of this macro; one with the more clear name "unknownify" and the much shorter one, "unk". There are 2 versions of the macro, one where you may specify the name of the value and the other where it defaults to "unkown".

[unknownify(1)] # same as below but clearer name
args = FieldName
definition = eval $FieldName$=if(isnull($FieldName$),"unknown",$FieldName$)
[unk(1)] # same as above but shorter name
args = FieldName
definition = eval $FieldName$=if(isnull($FieldName$),"unknown",$FieldName$)

[unknownify(2)] # same as below but clearer name
args = FieldName, UnknownText
definition = eval $FieldName$=if(isnull($FieldName$),"$UnknownText$",$FieldName$)
[unk(2)] # same as above but shorter name
args = FieldName, UnknownText
definition = eval $FieldName$=if(isnull($FieldName$),"$UnknownText$",$FieldName$)

Reply all

Reply to author

Forward

0 new messages