Solved: Create a new field using other field values concat...

scout29 · ‎09-18-2024

I am trying to create a new field called "description" that contains values from two other existing fields.

If field "app" is equal to linux than i want to combine existing fields "host" and "alert_type".

If field "app" is equal to windows than i want to combine existing field values "host" and "severity"

If app equals anything else, i want the value to be false.

Below is the eval i have, buts its not working:

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

View solution in original post

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

Create a new field using other field values concatenated

eval

field extraction

fields

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?