- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to create a calculated compliance field in splunk web
Hi,
I need to create a calculated compliance field in splunk web.
the field should have the values like full, light,expanded and none in it.
Please help me out in creating this using eval function in step by step manner.
This is the first time i am creating this .
Regards,
Sundar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi umsundar2015 ,
Are the values "Full","Expanded" etc are already part of raw event which is ingested in splunk? If so you can use field extractions.
Settings-->Fields-->FieldExtractions-->choose source or source type and their respective value..choose sample event, select regular expression and then highlight the values "Full","Expanded"etc in the sample selected event and create a filed and change the permissions of this field extraction to app /global level...this will create new filed that you can select from left pane of in the search bar.
If this does not work...if you can share mock sample event of your usecase then we can take a look at it.
Let us know how it goes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide your base search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=saesdp-server |fillnull|search status=Installed install_status=Installed company!=MNPD operational_status=Operational u_environment!=Dev u_environment!=Lab u_environment!=Dev u_environment!=Pilot u_environment!=QA os!="Windows" support_group!="MNDP" os!="os" u_os!="Windows" |eval name=lower(name)
This is my base search , which will be further joined with one more index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And what is the logic for populating the compliance field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should be included in search like this ,
index=saesdp-server |fillnull|search status=Installed install_status=Installed company!=MNPD operational_status=Operational u_environment!=Dev u_environment!=Lab u_environment!=Dev u_environment!=Pilot u_environment!=QA os!="Windows" support_group!="MNDP" os!="os" u_os!="Windows" |eval name=lower(name)
|eval calculated_compliance=if(calculated_compliance="Full","Full","Expanded")
Can you please help in creating this field ,
