I have a field called action and the only two possible results are 7 or 8. These relate to blocked or allowed and I want to create a new field similar using something like this:
eval action=case("7","Allowed","8","Blocked")
The new field(action_Taken) should be searchable against but I am not sure if this would be best accomplished through Calculated Fields or a macro and eval. I tried using Calculated Fields but from the documentation I have read It was only for operations not for what I want to use it for. And Macros I am not sure where to start.
Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.
Take a look at this.
Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.
Take a look at this.
For instance, look at this built-in calculated field that comes with the Stream app:
name: stream:http : EVAL-action
field name: action
expression:
case(status>=200 AND status<300, "allowed", status>=400, "blocked")
Isn't that very similar to what you are trying to do?
This worked perfectly. Created a new field that other people can see that's simply Allowed and Blocked. Thank You!
Edit: Any reason I cant search against this new field where action=Allowed
Edit Edit: Reading the documentation fine print " Cannot base calculated field s on lookup fields since evaluation of calculation fields takes place after search time field extraction"
Tags may be your answer
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Defineandusetags