https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447414#M3969 <P>please go through the eval documentation here <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Eval">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Eval</A> and here<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usetheevalcommandandfunctions">https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usetheevalcommandandfunctions</A><BR /> eval can be used with if, case just like other programming languages<BR /> Your requirement is also not very clear, you say - when field securityService = Antimalware then new signature field equals to securityService and you give an example in bold <BR /> securityService = Antispam then signature field equals to securityService<BR /> So when securityService = both Antispam or Antimalware your signature field should eval out to securityService?<BR /> What is the difference when you are setting the securityService feild to the same value?</P> Sun, 05 May 2019 07:45:56 GMT Sukisen1981 2019-05-05T07:45:56Z https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447413#M3968 <P>Hi All,</P> <P>I need to calculate field base on the below scenario. </P> <P>need to create a new field signature but when field securityService = Antimalware then new signature field equals to securityService "<EM>" malwareCategory and if securityService = Antispam then signature field equals to securityService "</EM>" verdict . </P> <P>Thanks in advance</P> Sun, 05 May 2019 07:30:54 GMT https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447413#M3968 sumitkathpal 2019-05-05T07:30:54Z https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447414#M3969 <P>please go through the eval documentation here <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Eval">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Eval</A> and here<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usetheevalcommandandfunctions">https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usetheevalcommandandfunctions</A><BR /> eval can be used with if, case just like other programming languages<BR /> Your requirement is also not very clear, you say - when field securityService = Antimalware then new signature field equals to securityService and you give an example in bold <BR /> securityService = Antispam then signature field equals to securityService<BR /> So when securityService = both Antispam or Antimalware your signature field should eval out to securityService?<BR /> What is the difference when you are setting the securityService feild to the same value?</P> Sun, 05 May 2019 07:45:56 GMT https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447414#M3969 Sukisen1981 2019-05-05T07:45:56Z https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447415#M3970 <P>Create a <CODE>Calculated Field</CODE> called <CODE>signature</CODE> defined like this:</P> <PRE><CODE>case(securityService == "Antimalware", securityService "_" malwareCategory, securityService == "Antispam", securityService "_" verdict, true(), "BROKEN/FIXME") </CODE></PRE> Sun, 05 May 2019 23:09:47 GMT https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447415#M3970 woodcock 2019-05-05T23:09:47Z https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447416#M3971 <P>Thanks @woodcock but if we add three fields than it stops working </P> <P>case(securityService == "Antimalware", securityService + "<EM>" + malwareCategory, securityService == "Antispam", securityService + "</EM>" + verdict, true(), "BROKEN/FIXME") (This on is working under calculated field)</P> <P>case(securityService == "Antimalware", securityService + "<EM>" + malwareCategory +"</EM>"+ category , securityService == "Antispam", securityService + "<EM>" + verdict + "</EM>" + category , true(), "BROKEN/FIXME") (This on is working when you use this under search using eval command but when you define it under calculated field it stops working)</P> Wed, 08 May 2019 01:43:55 GMT https://community.splunk.com/t5/Knowledge-Management/Help-require-to-define-calculate-field/m-p/447416#M3971 sumitkathpal 2019-05-08T01:43:55Z