Knowledge Management

Creating new Field for Sourcetype to be searched against based off existing Field

santorof
Communicator

I have a field called action and the only two possible results are 7 or 8. These relate to blocked or allowed and I want to create a new field similar using something like this:

eval action=case("7","Allowed","8","Blocked")

The new field(action_Taken) should be searchable against but I am not sure if this would be best accomplished through Calculated Fields or a macro and eval. I tried using Calculated Fields but from the documentation I have read It was only for operations not for what I want to use it for. And Macros I am not sure where to start.

Tags (2)
0 Karma
1 Solution

javiergn
Super Champion

Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.

Take a look at this.

View solution in original post

0 Karma

javiergn
Super Champion

Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.

Take a look at this.

0 Karma

javiergn
Super Champion

For instance, look at this built-in calculated field that comes with the Stream app:

name: stream:http : EVAL-action
field name: action
expression:

case(status>=200 AND status<300, "allowed", status>=400, "blocked")

Isn't that very similar to what you are trying to do?

0 Karma

santorof
Communicator

This worked perfectly. Created a new field that other people can see that's simply Allowed and Blocked. Thank You!

Edit: Any reason I cant search against this new field where action=Allowed
Edit Edit: Reading the documentation fine print " Cannot base calculated field s on lookup fields since evaluation of calculation fields takes place after search time field extraction"

0 Karma

sundareshr
Legend
0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...