Solved: Re: Replace severity values by respective levels

sidtalup27 · ‎11-01-2022

Hello,
In the events, the severity is captured as values between 1 to 10. I want to represent them as High, Low, Medium etc.

For example,
if the severity is between 1 and 3 as Low
if the severity is between 4 and 5 as Medium, and so on

Please advise on how to achieve this.

Thanks in advance.

richgalloway · ‎11-01-2022

Use an eval with the case function to map severity numbers to names.

| eval severity = case(severity>=1 AND severity<=3,"Low",
                       severity>=4 AND severity<=5,"Medium",
                       severity>5,"High")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-01-2022

Use an eval with the case function to map severity numbers to names.

| eval severity = case(severity>=1 AND severity<=3,"Low",
                       severity>=4 AND severity<=5,"Medium",
                       severity>5,"High")

---
If this reply helps you, Karma would be appreciated.

How to replace severity values by respective levels?

chart

eval

stats

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?