Splunk Search

How to create a new field using eval by eventtype?

Explorer

Hi guys,

I am trying to create an evaluated field, action, that will contain different values from different fields based on whether the eventtype is change for mapping to the change and authentication CIM models action field respectively. After some research and searching around, I still am stuck at it.
My current eval statement is:
eval action = if('tag::eventtype'!="change", outcome, mod_action)
Examples of values: outcome=> success, failure mod_action=> modified, deleted

Could someone kindly advise me as to what I am doing wrong here? Why is it that when I try this splunk always evaluates action to either outcome or mod_action, and not either of them depending on the eventtype? Thanks and have a pleasant day ahead 🙂

Tags (2)

SplunkTrust
SplunkTrust

Do you mean to say, you get the result as literal value 'outcome' and 'mod_action' instead of the actual "values" or regardless of condition, you get both values?

0 Karma

Explorer

For the current eval statement, the action field always evaluates to mod_action

0 Karma

Ultra Champion

That sounds to me like there is something wrong with evaluating the 'tag::eventtype'!="change". I'm wondering if it is even possible to evaluate tags like that in eval statements?

Have you tried simply evaluating eventtype=foo, rather than through the tag? Otherwise, try and find some other knowledge to make the choice, rather than based on the eventtype.

0 Karma

Explorer

Hi Guys,

I have authentication events tagged as authentication, and change events tagged with change. What would be a possible way to do an eval like what I asked above, without using the tags, if the events contains no clear indication as to whether they are change or authentication events? I have tried with eventtypes as suggested above but even that does not work as action keeps being mod_action

0 Karma

Ultra Champion

Does mod_action contain any value for authentication events? If not, you could simply do:

eval action = coalesce(mod_action,outcome)

Otherwise: how have you defined your eventtype? That must be on some criteria, right? Should be possible to use the same to construct the action field.

0 Karma

Explorer

Weird. It seems like the eval for action just refuses to work, I even tried changing the action to evalAction, and manually filtering mod_action to be N.A for the auth events, but while the mod_action for auth events became N.A, when I got evalAction to check if mod_action is N.A and return the outcome field if it is and mod_action field if it is not, the if statement keeps evaluating to false and mod_action values are displayed for evalAction. Guess it’s just some issue’s with Splunk so I’ll try again tmr

0 Karma

Ultra Champion

Are you doing this in props.conf or in the search bar?

If in props.conf, it should be EVAL-action = ...

0 Karma

Explorer

I am doing this through the "evaluated fields" section under fields and adding an eval statement for the splunk TA that I am developing. I have looked at the props.conf present in the local folder, the eval statement is as I have added in the splunk UI

0 Karma

Ultra Champion

In props.conf it should read EVAL-action = ...

0 Karma

Explorer

Yeap, that's how it looked like in my local props.conf file for my add-on before I changed it to try something else, which is why all the more I am puzzled that no matter how I try today, the evaluation is not working properly. I will try again tomorrow to see how it goes, it might just be a case of my splunk instance lagging. Thanks for your help so far 🙂

0 Karma