https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232582#M68996 <P>For example, csv field is vulnerability severity (range of 1-10). I want to change that to one of 3 values depending on the numeric value, Moderate, Severe or Critical. I read that Lookup files cannot be used at index-time, so is there an alternative? </P> Thu, 14 Jan 2016 13:52:50 GMT corosco112 2016-01-14T13:52:50Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232582#M68996 <P>For example, csv field is vulnerability severity (range of 1-10). I want to change that to one of 3 values depending on the numeric value, Moderate, Severe or Critical. I read that Lookup files cannot be used at index-time, so is there an alternative? </P> Thu, 14 Jan 2016 13:52:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232582#M68996 corosco112 2016-01-14T13:52:50Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232583#M68997 <P>Hi there! </P> <P>If I am understanding this correctly, you have a field called severity and with a range values 1-10, and depending the number, you want to change it to Moderate, Severe or Critical and use it after the change in another search, right?</P> <P>If this is the case, you could try something like this:<BR /> | eval priority= if(severity(your field)&gt;="0" AND severity&lt;5, "Moderate", if (severity &lt;"8" AND severity &gt;= "5", "Severe", if (severity &lt;= "10" AND severity &gt;= 8, "Critical","Unrated")))</P> <P>This will set a new field called priority the values 0-4 as Moderate, values from 5-8 SEvere and values from 8-10 Critical. </P> <P>I hope It works, If I am missunderstanding something or it doesn't work write it and I will try to help you more <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Thu, 14 Jan 2016 16:44:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232583#M68997 marina_rovira 2016-01-14T16:44:30Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232584#M68998 <P>There are a couple of options</P> <P>If you must do it at index time, you can use <CODE>SEDCMD</CODE> in your <CODE>props.con</CODE> to anonymize your data. See online documentation for more details<A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles">1</A>. The limitation with this howeever, is you cannot use <CODE>INDEXED_EXTRACTIONS</CODE> to extract your csv data. You will have to import them as <CODE>DELIM</CODE> and specify <CODE>FIELD</CODE> names in your transforms.</P> <P>The other option, would be to create a <CODE>calculated</CODE> field. This will add a new field that can be used in your searches. Read up on that here <A href="http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/definecalcfields">http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/definecalcfields</A></P> Thu, 14 Jan 2016 18:12:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232584#M68998 sundareshr 2016-01-14T18:12:33Z https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232585#M68999 <P>OK thanks. Right now I'm trying to create an automatic lookup to use at search time. But I'll try the calculated field method.</P> Thu, 14 Jan 2016 18:38:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-a-field-with-a-numeric-value-in-a-CSV-input-file/m-p/232585#M68999 corosco112 2016-01-14T18:38:50Z