Archive
Highlighted

create if statment whose result will create a new field with a constant value?

Path Finder

Hi all,

There is a way to create if statment whose result will create a new field with a constant value?

For exemple:

In a ten-minute time window:
if DeviceProduct=IPS pririty=7 AND src=10.10.10.10 And DeviceAction=block --> create new field with constant value: Action=B

Tags (1)
Highlighted

Re: create if statment whose result will create a new field with a constant value?

Legend

Hi bugnet,
did you tried something like this:

| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")

Bye.
Giuseppe

View solution in original post

Highlighted

Re: create if statment whose result will create a new field with a constant value?

Legend

Are you looking for something like following?

| eval Action=case(DeviceProduct=="IPS" AND pririty=="7" AND src="10.10.10.10" AND DeviceAction=="block","B",1==1,"OTHER")
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.