Solved: Create a new field using other field values concat...

scout29 · ‎09-18-2024

I am trying to create a new field called "description" that contains values from two other existing fields.

If field "app" is equal to linux than i want to combine existing fields "host" and "alert_type".

If field "app" is equal to windows than i want to combine existing field values "host" and "severity"

If app equals anything else, i want the value to be false.

Below is the eval i have, buts its not working:

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

View solution in original post

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

Create a new field using other field values concatenated

eval

field extraction

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation