Splunk Search

Creating a new field from another field

emcglade
Engager

Hi, 

Wondering if anyone can help. 

I am trying to create a new field called FS_Owner_Mail using |eval from both the mail and FS_Owner existing fields but not too sure how to work it into the below search.

 

index=varonis sourcetype=xxx:varonis:csv:reports
| eval User_Group=replace(replace('User_Group',"xxxxl\\\\","")," ","")
| join type=left User_Group
[ search index=ad source=xxx_adgroupmemberscan memberSamAccountName="*_xxx" earliest=-48h
| dedup groupSamAccountName, memberSamAccountName
| rename groupSamAccountName as User_Group, memberSamAccountName as Member
| join type=left Member
[ search index=ad source="xxx_aduserscan" samAccountName="*_xxx"
| dedup samAccountName
| rename samAccountName as Member
| table Member, displayName, mail]
| stats values(Member) as Member, values(displayName) as DisplayName, values(mail) as Mail by User_Group
| eval User_Group=replace(replace('User_Group',"_xxx","")," ","")]
| table Access_Path Current_Permissions, DisplayName, FS_Owner, Flags, Inherited_From_Folders, Mail, Member, User_Group

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval FS_Owner_Mail=FS_Owner."_".Mail

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval FS_Owner_Mail=FS_Owner."_".Mail
0 Karma

emcglade
Engager

Thank you, looks great!

can you explain the logic and where it would best be in the search? 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

At the end when you have values for FS_Owner and Mail?

0 Karma

emcglade
Engager

Perfect looks really good!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...