https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320520#M2952 <P>Hi All</P> <P>I am attempting to create a field called <STRONG>app</STRONG> for Enterprise Security based off of Cisco WSA Squid logs</P> <P>To create the field, I use a field alias of the sourcetype to fill the value of <STRONG>app</STRONG></P> <P>Next I am trying to use a calculated field to determine to final value <CODE>app=case(app="cisco:wsa:squid","squid")</CODE></P> <P>Testing this in a basic search works fine <CODE>sourcetype=cisco:wsa:squid | eval app=case(app="cisco:wsa:squid","squid") | table _time, app</CODE></P> <P>But using that search as a calculated field always evaluates to zero.</P> <P>Anyone have any idea why?</P> Fri, 19 Jan 2018 12:04:29 GMT davidmonaghan 2018-01-19T12:04:29Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320520#M2952 <P>Hi All</P> <P>I am attempting to create a field called <STRONG>app</STRONG> for Enterprise Security based off of Cisco WSA Squid logs</P> <P>To create the field, I use a field alias of the sourcetype to fill the value of <STRONG>app</STRONG></P> <P>Next I am trying to use a calculated field to determine to final value <CODE>app=case(app="cisco:wsa:squid","squid")</CODE></P> <P>Testing this in a basic search works fine <CODE>sourcetype=cisco:wsa:squid | eval app=case(app="cisco:wsa:squid","squid") | table _time, app</CODE></P> <P>But using that search as a calculated field always evaluates to zero.</P> <P>Anyone have any idea why?</P> Fri, 19 Jan 2018 12:04:29 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320520#M2952 davidmonaghan 2018-01-19T12:04:29Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320521#M2953 <P>I have two queries.<BR /> 1) what eval expression you have configured . can you give the artifacts of <CODE>local/props.conf</CODE> where this calculated field configuration is.<BR /> 2) Try making calculated field permissions to global.</P> Fri, 19 Jan 2018 12:22:47 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320521#M2953 mayurr98 2018-01-19T12:22:47Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320522#M2954 <P>1) I used the Splunk Web interface. The eval expression used was <CODE>app=case(app="cisco:wsa:squid","squid")</CODE><BR /> 2) Permission have been set to <STRONG>global</STRONG></P> Fri, 19 Jan 2018 13:00:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320522#M2954 davidmonaghan 2018-01-19T13:00:07Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320523#M2955 <P>You need to write only <CODE>case(app="cisco:wsa:squid","squid")</CODE> in the eval expression. Field name you have to specify in Name.</P> Fri, 19 Jan 2018 13:04:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320523#M2955 mayurr98 2018-01-19T13:04:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320524#M2956 <P>Thanks that worked perfectly</P> Mon, 22 Jan 2018 10:53:21 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320524#M2956 davidmonaghan 2018-01-22T10:53:21Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320525#M2957 <P>I have converted my comment to an answer. If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.</P> Mon, 22 Jan 2018 11:43:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Calculated-field-always-evaluates-to-zero/m-p/320525#M2957 mayurr98 2018-01-22T11:43:33Z