Splunk Search

How to add a new field with constant value to table?

bugnet
Path Finder

Hi,

I'm trying to to add a new field with constant value to my table.

The new field is "Action" when "B" is constant value. (Action=B)

The new field appears correctly in search, But, in the table the "B" value does not appear in the column.

My table syntax:
(index=ips) OR (index=waf msg!=NULL) | eval Action=case(suser=block,"B", 1==1,"B") | where src = src | chart count over src by index | iplocation src | table src, Country, ips, waf , Action | addtotals labelfield=Summary

Any ideas?

Thanks

0 Karma
1 Solution

gcusello
Legend

Hi bugnet,
the problem is that the Action field isn't in the chart command so you should change your command.

I don't understand your search: what is your expectation?
In your chart command there is "by index" and in the table command index isn't present, can you explain better?
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
Legend

Hi bugnet,
the problem is that the Action field isn't in the chart command so you should change your command.

I don't understand your search: what is your expectation?
In your chart command there is "by index" and in the table command index isn't present, can you explain better?
Bye.
Giuseppe

0 Karma

bugnet
Path Finder

Any ideas ?

0 Karma

gcusello
Legend

Hi Hi bugnet,,
try something like this

(index=ips) OR (index=waf msg!=NULL) 
| eval Action=case(suser=block,"B", 1==1,"B") 
| where src = src 
| iplocation src 
| stats values(Action) AS Action count AS Summary by src, Country, security_device ips
| table src Country security_device ips Summary Action
| addtotals labelfield=Summary

Bye.
Giuseppe

0 Karma

bugnet
Path Finder

Can you explain? Not working for me :"No results found"

0 Karma

gcusello
Legend

Hi Hi bugnet,
This is an example, you have to adapt it to your situation: e.g.

  • src probably is an IP address, if you insert | where src = src surely you haven't results, probably you have to delete the full row;
  • your eval condition has always "B" as value, in this case you can simply use | eval Action="B" instead you condition;
  • I don't know if "ips" is a search key, you inserted it in your starting example and I used it but I don't know what is, and so on.

Bye.
Giuseppe

0 Karma

bugnet
Path Finder

I can not understand the next command:
| stats values(Action) AS Action count AS Summary by src, Country, security_device ips

0 Karma

gcusello
Legend

Hi bugnet,
see http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Stats
every way:

  • by-clause are the names of one or more fields to group by;
  • values(X) returns the list of all distinct values of the field X as a multivalue entry.

it's important to insert values(X) because otherwise after stats command you only have the by clause fields.

Bye.
Giuseppe

0 Karma

bugnet
Path Finder

Hi,

The table should shows number of attacks from each security device + summary, When the Action field should indicate whether the src address is already blocked.

src | Country | waf | IPS | Summary | Action
101.xxx.xxx.93 | China | 35 | 10 | 45 | B
51.xx.x.3 | US | 21 | 10 | 31 |

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...