https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393022#M114333 <P>Weird. It seems like the eval for action just refuses to work, I even tried changing the action to evalAction, and manually filtering mod_action to be N.A for the auth events, but while the mod_action for auth events became N.A, when I got evalAction to check if mod_action is N.A and return the outcome field if it is and mod_action field if it is not, the if statement keeps evaluating to false and mod_action values are displayed for evalAction. Guess it’s just some issue’s with Splunk so I’ll try again tmr</P> Tue, 29 Sep 2020 20:47:58 GMT jmteo 2020-09-29T20:47:58Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393016#M114327 <P>Hi guys,</P> <P>I am trying to create an evaluated field, action, that will contain different values from different fields based on whether the eventtype is change for mapping to the change and authentication CIM models action field respectively. After some research and searching around, I still am stuck at it.<BR /> My current eval statement is:<BR /> eval action = if('tag::eventtype'!="change", outcome, mod_action)<BR /> Examples of values: outcome=&gt; success, failure mod_action=&gt; modified, deleted</P> <P>Could someone kindly advise me as to what I am doing wrong here? Why is it that when I try this splunk always evaluates action to either outcome or mod_action, and not either of them depending on the eventtype? Thanks and have a pleasant day ahead <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 20:47:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393016#M114327 jmteo 2020-09-29T20:47:48Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393017#M114328 <P>Do you mean to say, you get the result as literal value 'outcome' and 'mod_action' instead of the actual "values" or regardless of condition, you get both values?</P> Mon, 06 Aug 2018 07:48:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393017#M114328 renjith_nair 2018-08-06T07:48:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393018#M114329 <P>For the current eval statement, the action field always evaluates to mod_action</P> Mon, 06 Aug 2018 08:15:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393018#M114329 jmteo 2018-08-06T08:15:17Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393019#M114330 <P>That sounds to me like there is something wrong with evaluating the <CODE>'tag::eventtype'!="change"</CODE>. I'm wondering if it is even possible to evaluate tags like that in eval statements?</P> <P>Have you tried simply evaluating <CODE>eventtype=foo</CODE>, rather than through the tag? Otherwise, try and find some other knowledge to make the choice, rather than based on the eventtype.</P> Mon, 06 Aug 2018 08:31:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393019#M114330 FrankVl 2018-08-06T08:31:05Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393020#M114331 <P>Hi Guys, </P> <P>I have authentication events tagged as authentication, and change events tagged with change. What would be a possible way to do an eval like what I asked above, without using the tags, if the events contains no clear indication as to whether they are change or authentication events? I have tried with eventtypes as suggested above but even that does not work as action keeps being mod_action</P> Mon, 06 Aug 2018 09:33:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393020#M114331 jmteo 2018-08-06T09:33:22Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393021#M114332 <P>Does mod_action contain any value for authentication events? If not, you could simply do:</P> <P><CODE>eval action = coalesce(mod_action,outcome)</CODE></P> <P>Otherwise: how have you defined your eventtype? That must be on some criteria, right? Should be possible to use the same to construct the action field.</P> Mon, 06 Aug 2018 09:42:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393021#M114332 FrankVl 2018-08-06T09:42:07Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393022#M114333 <P>Weird. It seems like the eval for action just refuses to work, I even tried changing the action to evalAction, and manually filtering mod_action to be N.A for the auth events, but while the mod_action for auth events became N.A, when I got evalAction to check if mod_action is N.A and return the outcome field if it is and mod_action field if it is not, the if statement keeps evaluating to false and mod_action values are displayed for evalAction. Guess it’s just some issue’s with Splunk so I’ll try again tmr</P> Tue, 29 Sep 2020 20:47:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393022#M114333 jmteo 2020-09-29T20:47:58Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393023#M114334 <P>Are you doing this in props.conf or in the search bar?</P> <P>If in props.conf, it should be <CODE>EVAL-action = ...</CODE></P> Mon, 06 Aug 2018 12:06:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393023#M114334 FrankVl 2018-08-06T12:06:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393024#M114335 <P>I am doing this through the "evaluated fields" section under fields and adding an eval statement for the splunk TA that I am developing. I have looked at the props.conf present in the local folder, the eval statement is as I have added in the splunk UI</P> Mon, 06 Aug 2018 14:07:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393024#M114335 jmteo 2018-08-06T14:07:00Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393025#M114336 <P>In props.conf it should read <CODE>EVAL-action = ...</CODE></P> Mon, 06 Aug 2018 14:58:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393025#M114336 FrankVl 2018-08-06T14:58:21Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393026#M114337 <P>Yeap, that's how it looked like in my local props.conf file for my add-on before I changed it to try something else, which is why all the more I am puzzled that no matter how I try today, the evaluation is not working properly. I will try again tomorrow to see how it goes, it might just be a case of my splunk instance lagging. Thanks for your help so far <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 06 Aug 2018 15:05:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-using-eval-by-eventtype/m-p/393026#M114337 jmteo 2018-08-06T15:05:13Z