topic Re: How to make an existing field equal a certain value based on the value of another field? in Splunk Search

How to make an existing field equal a certain value based on the value of another field?

wtaylor149 — Wed, 09 Dec 2015 15:52:00 GMT

I have a need to make an existing field a value if another field is a certain value. Example:

what I want to do:
impact = Vulnerable then severity = high
impact = Potentially Vulnerable then severity = medium

Currently each of the impact fields come in as high, medium or low. We're looking to make them standard and trigger our Splunk ES to set the Urgency based on the severity we tell it.

I've tried the below search but nothing returns in the stats tab:

'my search' | eval severity = case(impact = Vulnerable, "high", impact = "Not Vulnerable", "medium") | stats count by impact, severity

Re: How to make an existing field equal a certain value based on the value of another field?

javiergn — Wed, 09 Dec 2015 16:49:31 GMT

Hi, provided 'my search' is correct, I can't see anything wrong with the eval or the stats count.
Maybe add a default value for your case with

eval severity = case(impact = Vulnerable, "high", impact = "Not Vulnerable", "medium", 1=1, "other")

And see if that's returning anything.

Re: How to make an existing field equal a certain value based on the value of another field?

wtaylor149 — Wed, 09 Dec 2015 17:11:53 GMT

Much appreciate the quick response however this is not working. The severity is coming up as "other". It is not picking up the eval statements.

I modified the eval statement slightly and it looks like it's working.
| eval severity = case(impact = "Vulnerable", "high", impact = "Not Vulnerable", "medium", 1=1, "other") | stats count by impact, severity