Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Help with trying to use two different calculated f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with trying to use two different calculated fields to populate the signature CIM field
I'm trying to use a calculated field eval statement like this below :
field : sonicwall_signature
case(like(message,"%Possible TCP Flood%"), "TCP Flood", like(category,"%Network_Scan_Activity%"), "Port Scanning")
Then I have another calculated field to combine an extracted field called threat and the above sonicwall_signature :
field : signature
coalesce(threat,sonicwall_signature)
This all works if I test both evals in a query but it doesn't seem to be working the way I intend it to using calculated fields to combine the threat and sonicwall_signature values. I'm not sure if this is because field extraction precedence but I would welcome a possible solution.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @johnward4,
Instead of making these fields directly in the CIM and trying to chain them, go ahead and build the extractions on the original sourcetypes, this will give you a lot more flexibility and will allow you to have access to the field when running normal SPL searches without only having to use the DM for that.
You can also play around with the order in which Splunk handles field extraction and creation. You can see here the search time operation sequence:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Searchtimeoperationssequence
It's very interesting what you can do with that as it will allow you to know the order in which things work and what can be chained to what. For example since field extraction comes second and eval comes fifth, you can use those two steps to build you search.
Let me know if you have more questions about how that order works, happy to help out.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
sorry, but you can't chain calculated fields: https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/definecalcfields
Skalli
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
