Splunk Search

How to create a new field:value pair based on values of another field?

Contributor

Hi,

From our IDS logs, we have a field named "blocked" where value is 0 for allowed and 1 for blocked. How can I create another field named action, which should have value of ("allowed" / "blocked") based on the values in the original 'blocked' field?

So, if event has blocked=0, then action=allowed.

Also, since this is for a CIM Data model having something permanent would be nice.

one way I could think of is to create a field alias for blocked -> action, and then add a lookup table file for this new alias mapping 0 -> allowed and 1 -> blocked.

Is there any better way to achieve this?

Thanks,

~ Abhi

0 Karma

Legend

Hi abhijittikekar,
you could create a calculated field called "action" inserting an eval expression like this

if(blocked=0,"allowed","blocked")

Bye.
Giuseppe

Contributor

Hi Giuseppe,

Looks like blocked is getting a 3rd value for '2' as well, so instead of a 'if' I ended up using a 'case', which works like a charm when testing in a search.

 eval action=case(blocked=0, "allowed",blocked=1,"blocked", blocked=2, "would be blocked") 

But when I created a calculated field, it did not appear in the search. Also, the original 'blocked' field disappeared as well. Not sure what could have cause this to happen. Once I deleted this calculated field, 'blocked' re-appeared in the searches.

I made sure permissions are global(read for all and write for admin) and allowed for all applications. Just to put it out there, I am working on a 3 node SH cluster and logged in via a LB Virtual URL Not sure if that has anything to do with this.

Thanks,

~ Abhi

0 Karma

Legend

Hi abhijittikekar,
I don't think that LB or SH Cluster is a problem.
At first I suggest to wait for a few minutes, because there's usually a delay in fields displaying (I never understood why!).
After, verify that you're using the correct sourcetype.
Every way, as you can see in the attached screenshots, on my Splunk it runs (sorry for the italian interface).
alt text
alt text
Bye.
Giuseppe

0 Karma

Contributor

no luck yet.. 😞

Re-created the action field and it's been 2 days since then. Original blocked field still functions as expected but calculated field "action" is nowhere to be seen.

There are no other conflicting extractions for 'action' under props.conf

# cat /opt/splunk/etc/apps/Splunk_TA_sourcefire/local/props.conf
[eStreamer]
FIELDALIAS-estreamer_dvc_SF = sensor AS dvc
FIELDALIAS-estreamer_category_SF = class_desc AS category
FIELDALIAS-estreamer_dest_SF = dest_ip AS dest
FIELDALIAS-estreamer_src_SF = src_ip AS src
FIELDALIAS-estreamer_severity_SF = priority AS severity
FIELDALIAS-severity_id_for_estreamer = priority AS severity_id
EVAL-action = action=case(blocked=0, "allowed",blocked=1,"blocked", blocked=2, "would be blocked")

[estreamer]

Not sure what else to check here. Have opened a support case for this and will revert back as soon as we solve it.

Thanks,

~ Abhi

0 Karma

Legend

Very strange, as you can see, in my test it works.
tell me how Support will answer!
Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

And here is the info on adding calculated fields in data models.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Addanevalexpressionattribute