Splunk Coalesce Function

Question

Hello I'm trying to utilize the coalesce eval function within Splunk. However, the eval function doesn't like fields that have a space in them.

In the past I've gotten around this by utilizing the rename function to change the field with a space in it to a field name without a space. However, that is not working this time for some reason.

Is there alternatives to using fields with spaces in eval statements besides rename trick?

example

base search
|eval test=coalesce(field1,field2)
| rename "space field 1" AS field1, "space field 2" AS field2
| table field1 field2 test

Answer 1

So I figured this out.You have to use single quotes around fields with spaces in them.

Remember that coalesce uses these fields in order provided when filling in a non-NULL value. So keep that in mind when using this function as well!

Working example:

base search
| eval test=coalesce('space field 1','space field 2')
| rename "space field 1" AS field1, "space field 2" AS field2
| table field1 field2 test

Answer 2

Use single quotes around text in the eval command to designate the text as a field name. Double quotes around the text make it a string constant.

base search
| eval test=coalesce('space field 1','space field 2')
| table "space field 1" "space field 2" test

Notice how the table command does not use this convention. All arguments to table are treated as field names.

Answer 3

The SPL you shared shows the rename after you attempt to coalesce():

base search
| eval test=coalesce(field1,field2)
| rename "space field 1" AS field1, "space field 2" AS field2
| table field1 field2 test

Pretty sure what you want is this:

base search
| rename "space field 1" AS field1, "space field 2" AS field2
| eval test=coalesce(field1,field2)
| table field1 field2 test