If a calculated field has the same name as an extracted field, what happens to the extracted field?
If a calculated field has the same name as an extracted field, what happens to the extracted field?
If a calculated field has the same name as an extracted field, the calculated field will override the extracted field. This means the value of the extracted field will be replaced by the value of the calculated field, even if the calculated field results in a null value.
A correct Preventing overrides of existing fields If a calculated field has the same name as a field that has been extracted by normal means, the calculated field will override the extracted field, even if the eval statement evaluates to null. You can cancel this override with the coalesce function for eval in conjunction with the eval expression. Coalesce takes an arbitrary number of arguments and returns the first value that is not null.
https://docs.splunk.com/Documentation/Splunk/9.1.3/Knowledge/definecalcfields
https://docs.splunk.com/Documentation/Splunk/9.2.0/Knowledge/definecalcfields