Solved: Create a new field using other field values concat...

scout29 · ‎09-18-2024

I am trying to create a new field called "description" that contains values from two other existing fields.

If field "app" is equal to linux than i want to combine existing fields "host" and "alert_type".

If field "app" is equal to windows than i want to combine existing field values "host" and "severity"

If app equals anything else, i want the value to be false.

Below is the eval i have, buts its not working:

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

View solution in original post

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

Create a new field using other field values concatenated

eval

field extraction

fields

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Are you a member of the Splunk Community?