https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356287#M165937 <P>You may want a transform. You may want a field extraction. They are similar. If the fields you want are related to a sourcetype, or to a source, then do a field extraction. If you want it to happen on any data, then do a transform.</P> <P>But, I can't help you without an example data to look at. Just to look for a string and then make a field could be useful, and may not be. I assume from your description that you could have something other than <CODE>Agreed</CODE> as a value for <CODE>Decision</CODE>, otherwise you would never care about doing a field extraction. What you ask for without an example is equivalent to marking everything blue that you see as your favorite car. </P> Sun, 24 Sep 2017 21:30:29 GMT cpetterborg 2017-09-24T21:30:29Z https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356281#M165931 <P>Team,<BR /> I need help in defining 3 new fields using Splunk User interface.</P> <OL> <LI>Decision=Agree , Field Name should be "Decision" and Matching values is "Agree". </LI> <LI>Fieldname is "Time" , need this in the Timestamp format ( Dateand HH:MM:SS)</LI> <LI>SourceIP</LI> </OL> <P>Any help is greatly appreciated.</P> Sun, 24 Sep 2017 00:38:52 GMT https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356281#M165931 veera9 2017-09-24T00:38:52Z https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356282#M165932 <P>1- Not clear, assuming you have a field, say X which has 'agree' and other values, if so try<BR /> eval Decision=Case(X="Agree","Decision")<BR /> 2- eval Time=strftime(_time,"%d %H:%M:%S"). Are you missing year and/ or month components?<BR /> 3- Witthout looking at your data its is hard to say but have you looked at this? ip extraction is very common question answered many times befre</P> <P><A href="https://answers.splunk.com/answers/49448/extract-ip-address-with-rex-or-trim.html">https://answers.splunk.com/answers/49448/extract-ip-address-with-rex-or-trim.html</A><BR /> <A href="https://answers.splunk.com/answers/48882/need-to-extract-ip-address.html">https://answers.splunk.com/answers/48882/need-to-extract-ip-address.html</A><BR /> <A href="https://answers.splunk.com/answers/438684/rex-ip-address-extraction.html">https://answers.splunk.com/answers/438684/rex-ip-address-extraction.html</A></P> Sun, 24 Sep 2017 11:44:14 GMT https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356282#M165932 Sukisen1981 2017-09-24T11:44:14Z https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356283#M165933 <P>As @Sukisen1981 says, example data is needed. Without it, almost any answer will be a shot in the dark. You can obfuscate the data, but don't change the nature of it so that it is useful in helping you.</P> Sun, 24 Sep 2017 13:25:22 GMT https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356283#M165933 cpetterborg 2017-09-24T13:25:22Z https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356284#M165934 <P>Is it OK to use "eval" in the Splunk field transformation UI?</P> Sun, 24 Sep 2017 15:39:12 GMT https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356284#M165934 veera9 2017-09-24T15:39:12Z https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356285#M165935 <P>As far as I know there is no way to do eval type expression in the Transformations. Not in the UI, or in the .conf files.</P> Sun, 24 Sep 2017 19:47:07 GMT https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356285#M165935 cpetterborg 2017-09-24T19:47:07Z https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356286#M165936 <P>Thank you so much. Below are my requirements:</P> <P>I want to define a field using the UI in Field Transformations in Field settings:</P> <P>The field need to match a string value ex: "Agreed". I want the field name to be defined as "Decision".</P> <P>When I search in the search box, I want the field "Decision" to appear in the list of fields.<BR /> Thank you for your time.<BR /> Raghu</P> Sun, 24 Sep 2017 20:21:42 GMT https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356286#M165936 veera9 2017-09-24T20:21:42Z https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356287#M165937 <P>You may want a transform. You may want a field extraction. They are similar. If the fields you want are related to a sourcetype, or to a source, then do a field extraction. If you want it to happen on any data, then do a transform.</P> <P>But, I can't help you without an example data to look at. Just to look for a string and then make a field could be useful, and may not be. I assume from your description that you could have something other than <CODE>Agreed</CODE> as a value for <CODE>Decision</CODE>, otherwise you would never care about doing a field extraction. What you ask for without an example is equivalent to marking everything blue that you see as your favorite car. </P> Sun, 24 Sep 2017 21:30:29 GMT https://community.splunk.com/t5/Splunk-Search/Transformation-fields-using-Splunk-UI/m-p/356287#M165937 cpetterborg 2017-09-24T21:30:29Z