Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help require to define calculate field

sumitkathpal
Explorer
‎05-05-2019 12:30 AM

Hi All,

I need to calculate field base on the below scenario.

need to create a new field signature but when field securityService = Antimalware then new signature field equals to securityService "" malwareCategory and if securityService = Antispam then signature field equals to securityService "" verdict .

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-05-2019 04:09 PM

Create a Calculated Field called signature defined like this:

case(securityService == "Antimalware", securityService "_"  malwareCategory, securityService == "Antispam", securityService "_" verdict, true(), "BROKEN/FIXME")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-05-2019 04:09 PM

Create a Calculated Field called signature defined like this:

case(securityService == "Antimalware", securityService "_"  malwareCategory, securityService == "Antispam", securityService "_" verdict, true(), "BROKEN/FIXME")
0 Karma
Reply
Solved! Jump to solution

sumitkathpal
Explorer
‎05-07-2019 06:43 PM

Thanks @woodcock but if we add three fields than it stops working

case(securityService == "Antimalware", securityService + "" + malwareCategory, securityService == "Antispam", securityService + "" + verdict, true(), "BROKEN/FIXME") (This on is working under calculated field)

case(securityService == "Antimalware", securityService + "" + malwareCategory +""+ category , securityService == "Antispam", securityService + "" + verdict + "" + category , true(), "BROKEN/FIXME") (This on is working when you use this under search using eval command but when you define it under calculated field it stops working)

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎05-05-2019 12:45 AM

please go through the eval documentation here https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Eval and here
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Usetheevalcommandandfunctions
eval can be used with if, case just like other programming languages
Your requirement is also not very clear, you say - when field securityService = Antimalware then new signature field equals to securityService and you give an example in bold
securityService = Antispam then signature field equals to securityService
So when securityService = both Antispam or Antimalware your signature field should eval out to securityService?
What is the difference when you are setting the securityService feild to the same value?

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...