Knowledge Management

Setting field based on eventtype

lakromani
Builder

I do use eventtypes.conf to extract fields.
Then in tags.conf I do set warning=enable for some of the fields.
Some is error and other is information.

In my search, this then shows up as eventtype=xyz, tags=error

I would like to change this so I get a new field called severity.
How do I set the severity field based on eventtype?

Instead of

tag=information
tag=warning
tag=error

I would like

severity=information
severity=warning
severity=error

This should be generated by the various type of events.
Generating the tags is easy done in tags.conf, but that is what I not need, just the field severity based on the different type of events.

0 Karma

andre_tucker
Path Finder

I believe I understand what you want to do now. Normally you would use an alias in order to create a new field with the same value of another field. (ex. If you alias source_ip=ip then you would be able to search for that field by using either of those field names). The problem is that this won't work very well for tags. If you alias a tag then you are creating a new field called severity and that field will contain the value of ANY tag, not only the tags that you want because there is no way to say apply an alias only if the tag is a certain value. For example your severity field could end up something like severity=authentication if the authentication tag is also given to those events.

If you only want to change have the severity field created when those tags contain those values then you could use my previous suggestion.

 | eval severity=case(tag==error, "error", tag==info, "info", tag==warning, "warning")

The problem is that you would have to do this to any search that you want it applied to. There is a slightly better way that you could achieve this, and that is by using an automatic lookup.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/DefineanautomaticlookupinSplunkWeb

This will allow you to have a field called tag in the lookup and you can have tag=error, tag=info, tag=warning, then you could have another column called severity with the same values. After that put tag as your input field and severity as your output field. Then apply the automatic lookup to the sourcetype, host, or source that you want this to be applied to. Then anytime a tag within that sourcetype, host, or source has the value of any value in your lookup, a field called severity will be created with that value.

Let me know if this helps.

0 Karma

andre_tucker
Path Finder

You could use the eval command with an if or case statement.

| eval severity=case(tag==error, "Medium", tag==Info, "Low", tag==fatal, "High")

Obviously you would need to change the tag= to whatever values of tags you want and the severities to whatever you would like.

0 Karma

lakromani
Builder

That could do it, but I would like to have it automatically created. It should substitute the tag 100%

0 Karma

andre_tucker
Path Finder

I believe I may be misunderstanding what you are trying to do. Can you send an example of what your fields should be if the eventtype=xyz?

0 Karma

lakromani
Builder

See updated post.

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...