Hi Gcusello, 
I have changed it and waited for like 30 minutes and still not works unfortunately. 

Here is the chart that it currently generates:

You can see that the calculated field is not works (the permissions are global it should work)

Hi @Eyal,

if the values of Action are only one word, you don't need to use like, but your can use equal:

case(Action="alert","allowed",Action="allow","allowed",Action="drop","blocked",Action="reset-both","blocked",Action="block-url","blocked",Action="deny","blocked")

Ciao.

Giuseppe

Hi @gcusello,

I have tried what you meant in the previous suggest unfortanually this did not worked as well, I have created additional parameter called Action_Test to see if the name of the parameter is might be the issue and this are the results:

Seems like the source issue comes from the name itself, cause your query defiantly works but not when I try to add this to the action field..

Do you might have another idea how to resolve this case? 🙂

Hi @Eyal,

are you sure that the action field isn't already existent?

try to make an eval

| eval action=coalesce(Action_Test,action)

or a rename

| rename Action_Test As action

Ciao.

Giuseppe

Hi @gcusello,

The value indeed exist already from the vendor itself he provide to values "Action" and "action".

The Action consist 100% of the values and action consists only 3%, There fore I wanted to transfer all the values to be in the action field as supposed to be according to the Network Traffic Data Model.

Hi @Eyal,

if you want to have the action value when present and the Action value when action is empty, please try this:

| eval action=coalesce(action,Action_Test)

before ina a search, then in a calculated field

ciao.

Giuseppe

Hi @gcusello,

First of all I really appreciate your help in this case!

Secondly, I have tried what you meant; It is working if i query this from the command line.

However, Is not working if I put it as a calculated field that is my major problem If I want my index to be complied with the Data Model (Traffic Network).

Hi @Eyal,

this could not be a problem because in the datamodel definition you can insert an eval calculation.

Anyway, did you tried to create also a calculated field with the coalesce?

Ciao.

Giuseppe

Hi @gcusello,

sorry for not replying I had an issue to sign in, In the last 2 days.
I did made the coalesce that you have sent and it still not works.

This is the calculated fields:

Looks like the actual issue is the fact the the field action already exist and therefore can not calculate this field as supposed to be, Since the attempt of Action_Test did worked.

Hi @Eyal ,

please try this calculated field:

if(action="allowed" OR action="blocked",action,Action)

if it doesn't run, opena a case to Splunk Support.

Ciao.

giuseppe

I see, Good to know 🙂

Yeah I have added this as a calculated field still not works..

Hi @Eyal,

please try:

| eval action=coalesce(action,Action)

as a calculated field.

Ciao.,

Giuseppe

Hi @gcusello,

I have tried all you have suggested until now and unfortunately its still not works 😞

Do you have any other suggestion maybe?

Hi @Eyal,

soryy i I forgot it: did you tried:

if(action="allowed" OR action="blocked",action,Action)

?

Ciao.

Giuseppe

Hi @gcusello ,

Can you please explain how is it supposed to help in our case?

under what value should I calculate this fields? action?

Hi @Eyal,

as you displayed, the action field coud have the values "alowed" or "blocked".

If it has one of these values, the value is taken, otherwise to the action field os assigned the value from the Action field.

Try this approach to see in in this case the calculated field works as it should do.

Ciao.

Giuseppe

Hi @gcusello,

I have tried what you have suggested I don't see it is actually works..
I see the Action_Test works perfectly I think the fact that we already have a value called action is the reason why it breaks, Do you think it is possible to be the reason?

Thanks,

Eyal

Hi @Eyal,

did you tested my last solution?

If it continues to fail I haven't any solution!

I'm sorry!

Last try: did you tried to add my last solution, directly in the data Model Add field feature, not passing through Calculated fields?

Ciao.

Giuseppe

Hi @gcusello,

Can you please provide me the steps how do I use the Add field feature directly in the data Model?

I tried to find it without any success, I would like try this solution before we give up 🙂

Thanks!!