Palo Alto has a field called “flags”. It can have several hex type entries, but what I’m interested in is whether or not a session was decrypted, and this is the field that indicates that. What I could use a little help on, then I can go deeper, is how do I tell a field to return something usable basically say; if the ‘flags’ field is 0x100000 then show me the words “Not Decrypted” and if ‘flags’ field is 0x1500000 then show me “Decrypted”. Past that, and with the syntax, I can build further. I’m guessing it’s a eval command, but can’t figure it out.
help an amateur out? 🙂
Lots of ways to do that.
First, you can set up a
lookup table that translates from one to another.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup | lookup mylookuptablename oldfieldname OUTPUT newfieldname
Second, if there are only a small number of values, you could use
| eval newfield=case(oldfieldname=somevalue, somenewvalue, oldfieldname=somevalue2, somenewvalue2, .... as many statements as you need ... true(), somedefaultvalue)
| eval newfield = if(oldfield=somevalue, somenewvalue, othernewvalue)
@DalJeanis, I would just like to add that in case statistical function (transforming commands like stats, chart or timechart) is being used in the same SPL where field conversion has to happen, then statistical function should be applied first followed by conversion of field for search optimization.
Also, within eval command there could be several functions that can be used, with case() being the most versatile as Dal pointed out: case(), if(), match(), like() etc. See the documentation for Comparison and Condition Eval functions: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions#Supported_fun...
Ideally you should use
lookup for easy maintenance as Dal has mentioned. However, if you choose eval, you can save the same a either
Calculated Field knowledge object for easy maintenance and reusability across your dashboards.