If a calculated field has the same name as an extracted field, what happens to the extracted field?
If a calculated field has the same name as an extracted field, what happens to the extracted field?
If a calculated field has the same name as an extracted field, the calculated field will override the extracted field. This means the value of the extracted field will be replaced by the value of the calculated field, even if the calculated field results in a null value.
The correct answer is:A. The calculated field will override the extracted field. In Splunk, if a calculated field has the same name as an extracted field, the calculated field will override the extracted field. This means that the value of the calculated field will be used instead of the value of the extracted field.This is because calculated fields are evaluated after extracted fields in the search-time operations sequence. Therefore, if a calculated field has the same name as an extracted field, the calculated field will override the extracted field.
A correct Preventing overrides of existing fields If a calculated field has the same name as a field that has been extracted by normal means, the calculated field will override the extracted field, even if the eval statement evaluates to null. You can cancel this override with the coalesce function for eval in conjunction with the eval expression. Coalesce takes an arbitrary number of arguments and returns the first value that is not null.
https://docs.splunk.com/Documentation/Splunk/9.1.3/Knowledge/definecalcfields
https://docs.splunk.com/Documentation/Splunk/9.2.0/Knowledge/definecalcfields