Solved: create if statment whose result will create a new ...

bugnet · ‎04-18-2017

Hi all,

There is a way to create if statment whose result will create a new field with a constant value?

For exemple:

In a ten-minute time window:
if DeviceProduct=IPS pririty=7 AND src=10.10.10.10 And DeviceAction=block --> create new field with constant value: Action=B

gcusello · ‎04-18-2017

Hi bugnet,
did you tried something like this:

| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")

Bye.
Giuseppe

View solution in original post

niketn · ‎04-18-2017

Are you looking for something like following?

| eval Action=case(DeviceProduct=="IPS" AND pririty=="7" AND src="10.10.10.10" AND DeviceAction=="block","B",1==1,"OTHER")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gcusello · ‎04-18-2017

Hi bugnet,
did you tried something like this:

| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")

Bye.
Giuseppe

create if statment whose result will create a new field with a constant value?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

create if statment whose result will create a new field with a constant value?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar