Solved: How to create an extracted field using existing ca...

chauhanviral82 · ‎05-04-2017

I am trying to create a new extracted field by using existing calculated field. The reason I want to do this is because I came to know that a calculated field can't be used to create another calculated field.

Example of what I am trying to achieve:

Combining values of 2 fields and assigning it to "fielda": `eval fielda=case(valueoffield=="a",valueoffieldx . "" . valueoffield_y)`
Use values of "fielda" and determine value of "fieldb" eval field_b=case(field_a=="expected_value","EXPECTED",field_a=="bad_value","BAD")

I can use this in search line just fine because I can have multiple eval statements in splunk search but I want to define brand new public fields with these same evals and I can't do multiple evals while creating a new public calculated field.
Is there any workaround to achieve #2 above?? i.e. can I create another regex field that uses the same values of "fielda" and use extracted field to create calculated "fieldb"?

somesoni2 · ‎05-04-2017

Try this for your 2nd calculated field:

eval field_b=case(case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="expected_value","EXPECTED",case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="bad_value","BAD")

View solution in original post

chauhanviral82 · ‎05-04-2017

Thank you so much! I was struggling with how to combine both of these into just one eval statement and this is exactly how I can do it. I really appreciate your help!!

How to create an extracted field using existing calculated field?

Re: How to create an extracted field using existing calculated field?

Re: How to create an extracted field using existing calculated field?