Splunk Search

How to write a field aliases using the EVAL command for a firewall device.

Hemnaath
Motivator

Hi All, I need to write a field aliases using EVAL command for the below mentioned fields.

Field Name :         Value
action   --->        Allow
action   ---->       Deny
tcp_flag   --->      A
tcp_flag   --->      S

Eval statement: 
EVAL-action=if(action="Allow", "allowed", action)
EVAL-action=if(action="Deny", "blocked", action)
EVAL-tcp_flag=if(tcp_flag="A","ACK",tcp_flag)
EVAL-tcp_flag=if(tcp_flag="S","SYN",tcp_flag)

Kindly guide me how to write a Field aliases using the Eval command.

thanks in advance.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

In search query, the eval commands might look something like this.

... | eval action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action) | eval tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag) | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

In search query, the eval commands might look something like this.

... | eval action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action) | eval tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag) | ...
---
If this reply helps you, Karma would be appreciated.

Hemnaath
Motivator

Hi Richgalloway, thanks for your effort on this, actually my requirement is to use props/transforms to apply field aliases and evals as needed for a firewall device using the Network Traffic CIM data model. I had compared the CIM model with firewall device and created field aliases for only the CIM fields that is populated by the information available in watchguard logs. But I have to use EVAL command for the above mentioned fields. When checked the props.conf --> Field Extraction configuration document found the below syntax for Eval. https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Propsconf

EVAL- =

EVAL-action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action)
EVAL-tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag)

Can I write like this, Please guide me on this .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you can do that. Try the eval statements in a search before putting them in props.conf.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Hemnaath
Motivator

Hi richgalloway, the field aliases using the EVAL command for a firewall device worked perfectly. Using the below EVAL statement. Thanks a lot.

EVAL-action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action)
EVAL-tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag="AS","SYN AND ACK")

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...