topic Re: Setting field based on eventtype in Knowledge Management

Setting field based on eventtype

lakromani — Sat, 30 Sep 2017 20:51:44 GMT

I do use eventtypes.conf to extract fields.
Then in tags.conf I do set warning=enable for some of the fields.
Some is error and other is information.

In my search, this then shows up as eventtype=xyz, tags=error

I would like to change this so I get a new field called severity.
How do I set the severity field based on eventtype?

Instead of

tag=information
tag=warning
tag=error

I would like

severity=information
severity=warning
severity=error

This should be generated by the various type of events.
Generating the tags is easy done in tags.conf, but that is what I not need, just the field severity based on the different type of events.

Re: Setting field based on eventtype

andre_tucker — Sun, 01 Oct 2017 13:15:26 GMT

You could use the eval command with an if or case statement.

| eval severity=case(tag==error, "Medium", tag==Info, "Low", tag==fatal, "High")

Obviously you would need to change the tag= to whatever values of tags you want and the severities to whatever you would like.

Re: Setting field based on eventtype

lakromani — Sun, 01 Oct 2017 13:58:55 GMT

That could do it, but I would like to have it automatically created. It should substitute the tag 100%

Re: Setting field based on eventtype

andre_tucker — Sun, 01 Oct 2017 14:04:52 GMT

I believe I may be misunderstanding what you are trying to do. Can you send an example of what your fields should be if the eventtype=xyz?

Re: Setting field based on eventtype

lakromani — Sun, 01 Oct 2017 15:01:43 GMT

See updated post.

Re: Setting field based on eventtype

andre_tucker — Sun, 01 Oct 2017 15:58:39 GMT

I believe I understand what you want to do now. Normally you would use an alias in order to create a new field with the same value of another field. (ex. If you alias source_ip=ip then you would be able to search for that field by using either of those field names). The problem is that this won't work very well for tags. If you alias a tag then you are creating a new field called severity and that field will contain the value of ANY tag, not only the tags that you want because there is no way to say apply an alias only if the tag is a certain value. For example your severity field could end up something like severity=authentication if the authentication tag is also given to those events.

If you only want to change have the severity field created when those tags contain those values then you could use my previous suggestion.

 | eval severity=case(tag==error, "error", tag==info, "info", tag==warning, "warning")

The problem is that you would have to do this to any search that you want it applied to. There is a slightly better way that you could achieve this, and that is by using an automatic lookup.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/DefineanautomaticlookupinSplunkWeb

This will allow you to have a field called tag in the lookup and you can have tag=error, tag=info, tag=warning, then you could have another column called severity with the same values. After that put tag as your input field and severity as your output field. Then apply the automatic lookup to the sourcetype, host, or source that you want this to be applied to. Then anytime a tag within that sourcetype, host, or source has the value of any value in your lookup, a field called severity will be created with that value.

Let me know if this helps.