Solved: Create a new field using other field values concat...

scout29 · ‎09-18-2024

I am trying to create a new field called "description" that contains values from two other existing fields.

If field "app" is equal to linux than i want to combine existing fields "host" and "alert_type".

If field "app" is equal to windows than i want to combine existing field values "host" and "severity"

If app equals anything else, i want the value to be false.

Below is the eval i have, buts its not working:

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

View solution in original post

dural_yyz · ‎09-18-2024

| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false")

You didn't nest the second IF statement

| eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))

Create a new field using other field values concatenated

eval

field extraction

fields

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?