Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add a custom column based on host value

Naji
Explorer
‎07-19-2023 01:25 AM

Hi, let me first state that I am very new to Splunk.

How can I do the following please?

I would like to add a column called Department to my table. The department value is not part of the event data. It is  something I would like to assign based on the value of host: 

Department HostsIP Address
Saleshost115.20.10.5
 host215.20.10.15
 host315.20.10.25
HRhost415.20.10.35
 host515.20.10.45
 host615.20.10.55
IThost715.20.10.65
 host815.20.10.75
 host915.20.10.85

 

 I also would like to create a Department dropdown menu that filters hosts based on department (dashboard).

Thank you for your time. I appreciate all your help

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-19-2023 01:38 AM

Hi @Naji 

you can add new field using eval condition

| eval Department =case(host IN("host1","host2","host3"),"Sales",host IN("host4","host5","host6"),"HR",host IN("host7","host8","host9"),"IT",1=1,"NoDept")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎07-19-2023 01:38 AM

Hi @Naji 

you can add new field using eval condition

| eval Department =case(host IN("host1","host2","host3"),"Sales",host IN("host4","host5","host6"),"HR",host IN("host7","host8","host9"),"IT",1=1,"NoDept")

0 Karma
Reply
Solved! Jump to solution

Naji
Explorer
‎07-19-2023 07:44 AM

This worked perfectly, thank you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2023 08:05 AM

Hi @Naji,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-19-2023 01:35 AM

Hi @Naji,

if the Department field isn't in the events, you have to create a lookup (called e.g. departments.csv) containing at least two columns (department and host for the enricment).

Then you can run a search like the following:

<your_search>
| lookup departments.csv host OUTPUT department
| rename 
   department AS Department
   host AS Hosts
   IP AS "IP Address"
| table Department Hosts "IP Address"

I supposed that the "IP Address" field is extracted as "IP", if not change adapt the search.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...