Splunk Enterprise Security

Calculated Field using Tags

harishbenne2
Explorer

I have a list of URLs in my website that is critical. So, I have marked all those URLs with a tag::critical using eventtype. However, I am unable to use tag field to filter data within the datamodel. So, I want to setup a field called content_priority that should have value of "critical" if the event has a critical tag , else set the field value to "normal".

I have configured a calculated field with following eval expression: if(tag=critical,"critical","normal")

However it does not seem to work at all. So, I am stuck with it now.

Any guidance would be much helpful and appreciated.

Labels (1)
0 Karma

PavelP
Motivator

Hello @harishbenne2,

which data model are you using? If you speaking about Splunk CIM ( https://docs.splunk.com/Documentation/CIM/latest/User/Overview ) then you can use only predefined tags. If you want to use some custom tags like critical, then you need to extend (i.e. modify) the data model - this can be easy done by cloning a suitable data model: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Managedatamodels#Clone_a_data_model

If you use custom data model already then you have to check your data model if such tag and this field (content_priority) are included.

0 Karma

harishbenne2
Explorer

Hi @PavelP,

I am using Web data model as of now. I didn’t know that we can’t use external tags within the data model queries.

However, my main concern is “could I setup a calculated field in index=DMZ based on tag values?”

0 Karma

PavelP
Motivator

Hallo @harishbenne2

EVAL is done before tagging, so you cannot use tags in eval

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...