Solved: Have field a equal field b if event_type = xxx - Splunk Community

Splunk Search

I have a search that is based on two events types - admin_login and admin_change. Admin_Login has two fields that the admin_change does not. Those fields are "admin_login_name" and "admin_login_email."

The fields, other than those two previously mentioned, are the same. What I'm looking to do:

If event_type=admin_login then admin_login_name = source_user_name AND admin_login_email = source_user_email.

Thanks in advance for the help.

1 Solution

Solution

| eval admin_login_name=if(event_type="admin_login",source_user_name,admin_login_name)
| eval admin_login_email=if(event_type="admin_login",source_user_email,admin_login_email)

View solution in original post

Thank you very much. I definitely over thought this one.

Solution

| eval admin_login_name=if(event_type="admin_login",source_user_name,admin_login_name)
| eval admin_login_email=if(event_type="admin_login",source_user_email,admin_login_email)

Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024 | 11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...