How can a column be hidden in a splunk table but make it available for the eval function

Question

In my Splunk search result data, some objects have the fields ID, Type, Name and some have the fields ID, Type, UnitId. For objects with Type equal to "A1" the Name field exists but for objects with Type equal to "A2", the Name field does not exist but instead the UnitId field is there. I would like to display the columns ID, Type, and Name in my Splunk table but not the UnitId column. The issue is that for objects with Type equal to "A2", the value of the Name column will be empty strings. So for each table row, I would like to use an eval function to replace the empty string in the Name column with the value of the UnitId column if the Type is equal to "A2".

For the rows where the Type is equal to "A2" and Name is an empty string, I tried using the following script to replace the empty strings with the UnitId column value and display only the ID, Type, and Name columns but the eval function in the script does not work.

index="demo_data" sourcetype="data.zip" 
| fields ID Type Name UnitId 
| table ID Type Name|eval Name = if(isnull('Name') AND Type="A2", 'UnitId', 'Name')

I noticed that if I include the UnitId column in the table then my eval function works but without it, it does not work. So my question is how do I include the UnitId column in the table to ensure that it will still be available for use by the eval function but hide it so that it is not visible to the user.

Answer 1

As said in the comments, we may be missing information:

1. remove line 2
2. put the eval as your new line two
3. the table command will not list UnitId because it isn't there

You'll end up with:

index="demo_data" sourcetype="data.zip" 
| eval Name = if(isnull('Name') AND Type="A2", 'UnitId', 'Name')
| table ID Type Name