Knowledge Management
Highlighted

how to create a calculated compliance field in splunk web

Path Finder

Hi,

I need to create a calculated compliance field in splunk web.
the field should have the values like full, light,expanded and none in it.

Please help me out in creating this using eval function in step by step manner.

This is the first time i am creating this .

Regards,
Sundar

0 Karma
Highlighted

Re: how to create a calculated compliance field in splunk web

Builder

Can you provide your base search?

0 Karma
Highlighted

Re: how to create a calculated compliance field in splunk web

Path Finder

index=saesdp-server |fillnull|search status=Installed installstatus=Installed company!=MNPD operationalstatus=Operational uenvironment!=Dev uenvironment!=Lab uenvironment!=Dev uenvironment!=Pilot uenvironment!=QA os!="Windows" supportgroup!="MNDP" os!="os" u_os!="Windows" |eval name=lower(name)

This is my base search , which will be further joined with one more index

0 Karma
Highlighted

Re: how to create a calculated compliance field in splunk web

Builder

And what is the logic for populating the compliance field?

0 Karma
Highlighted

Re: how to create a calculated compliance field in splunk web

Path Finder

It should be included in search like this ,
index=saesdp-server |fillnull|search status=Installed installstatus=Installed company!=MNPD operationalstatus=Operational uenvironment!=Dev uenvironment!=Lab uenvironment!=Dev uenvironment!=Pilot uenvironment!=QA os!="Windows" supportgroup!="MNDP" os!="os" uos!="Windows" |eval name=lower(name)
|eval calculated
compliance=if(calculated_compliance="Full","Full","Expanded")

Can you please help in creating this field ,

0 Karma
Highlighted

Re: how to create a calculated compliance field in splunk web

Communicator

Hi umsundar2015 ,

Are the values "Full","Expanded" etc are already part of raw event which is ingested in splunk? If so you can use field extractions.

Settings-->Fields-->FieldExtractions-->choose source or source type and their respective value..choose sample event, select regular expression and then highlight the values "Full","Expanded"etc in the sample selected event and create a filed and change the permissions of this field extraction to app /global level...this will create new filed that you can select from left pane of in the search bar.

If this does not work...if you can share mock sample event of your usecase then we can take a look at it.

Let us know how it goes.

0 Karma