Knowledge Management

Help require to define calculate field

Explorer

Hi All,

I need to calculate field base on the below scenario.

need to create a new field signature but when field securityService = Antimalware then new signature field equals to securityService "" malwareCategory and if securityService = Antispam then signature field equals to securityService "" verdict .

Thanks in advance

0 Karma
1 Solution

Esteemed Legend

Create a Calculated Field called signature defined like this:

case(securityService == "Antimalware", securityService "_"  malwareCategory, securityService == "Antispam", securityService "_" verdict, true(), "BROKEN/FIXME")

View solution in original post

0 Karma

Esteemed Legend

Create a Calculated Field called signature defined like this:

case(securityService == "Antimalware", securityService "_"  malwareCategory, securityService == "Antispam", securityService "_" verdict, true(), "BROKEN/FIXME")

View solution in original post

0 Karma

Explorer

Thanks @woodcock but if we add three fields than it stops working

case(securityService == "Antimalware", securityService + "" + malwareCategory, securityService == "Antispam", securityService + "" + verdict, true(), "BROKEN/FIXME") (This on is working under calculated field)

case(securityService == "Antimalware", securityService + "" + malwareCategory +""+ category , securityService == "Antispam", securityService + "" + verdict + "" + category , true(), "BROKEN/FIXME") (This on is working when you use this under search using eval command but when you define it under calculated field it stops working)

0 Karma

Champion

please go through the eval documentation here https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Eval and here
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usetheevalcommandandfunctions
eval can be used with if, case just like other programming languages
Your requirement is also not very clear, you say - when field securityService = Antimalware then new signature field equals to securityService and you give an example in bold
securityService = Antispam then signature field equals to securityService
So when securityService = both Antispam or Antimalware your signature field should eval out to securityService?
What is the difference when you are setting the securityService feild to the same value?

0 Karma