topic Re: Add a custom column based on host value in Splunk Search

Add a custom column based on host value

Naji — Wed, 19 Jul 2023 08:25:04 GMT

Hi, let me first state that I am very new to Splunk.

How can I do the following please?

I would like to add a column called Department to my table. The department value is not part of the event data. It is something I would like to assign based on the value of host:

Department	Hosts	IP Address
Sales	host1	15.20.10.5
	host2	15.20.10.15
	host3	15.20.10.25
HR	host4	15.20.10.35
	host5	15.20.10.45
	host6	15.20.10.55
IT	host7	15.20.10.65
	host8	15.20.10.75
	host9	15.20.10.85

I also would like to create a Department dropdown menu that filters hosts based on department (dashboard).

Thank you for your time. I appreciate all your help

Re: Add a custom column based on host value

gcusello — Wed, 19 Jul 2023 08:35:49 GMT

Hi @Naji,

if the Department field isn't in the events, you have to create a lookup (called e.g. departments.csv) containing at least two columns (department and host for the enricment).

Then you can run a search like the following:

<your_search> | lookup departments.csv host OUTPUT department | rename department AS Department host AS Hosts IP AS "IP Address" | table Department Hosts "IP Address"

I supposed that the "IP Address" field is extracted as "IP", if not change adapt the search.

Ciao.

Giuseppe

Re: Add a custom column based on host value

SanjayReddy — Wed, 19 Jul 2023 08:38:49 GMT

Hi @Naji

you can add new field using eval condition

| eval Department =case(host IN("host1","host2","host3"),"Sales",host IN("host4","host5","host6"),"HR",host IN("host7","host8","host9"),"IT",1=1,"NoDept")

Re: Add a custom column based on host value

Naji — Wed, 19 Jul 2023 14:44:37 GMT

This worked perfectly, thank you

Re: Add a custom column based on host value

gcusello — Wed, 19 Jul 2023 15:05:59 GMT

Hi @Naji,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉