Solved: Re: Create a new field using other field values co...

scout29 · ‎09-18-2024

I am trying to create a new field called "description" that contains values from two other existing fields.

If field "app" is equal to linux than i want to combine existing fields "host" and "alert_type".

If field "app" is equal to windows than i want to combine existing field values "host" and "severity"

If app equals anything else, i want the value to be false.

Below is the eval i have, buts its not working:

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

View solution in original post

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

Create a new field using other field values concatenated

eval

field extraction

fields

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation