Splunk Search

How to write a field aliases using the EVAL command for a firewall device.

Hemnaath
Motivator

Hi All, I need to write a field aliases using EVAL command for the below mentioned fields.

Field Name :         Value
action   --->        Allow
action   ---->       Deny
tcp_flag   --->      A
tcp_flag   --->      S

Eval statement: 
EVAL-action=if(action="Allow", "allowed", action)
EVAL-action=if(action="Deny", "blocked", action)
EVAL-tcp_flag=if(tcp_flag="A","ACK",tcp_flag)
EVAL-tcp_flag=if(tcp_flag="S","SYN",tcp_flag)

Kindly guide me how to write a Field aliases using the Eval command.

thanks in advance.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

In search query, the eval commands might look something like this.

... | eval action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action) | eval tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag) | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

In search query, the eval commands might look something like this.

... | eval action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action) | eval tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag) | ...
---
If this reply helps you, Karma would be appreciated.

Hemnaath
Motivator

Hi Richgalloway, thanks for your effort on this, actually my requirement is to use props/transforms to apply field aliases and evals as needed for a firewall device using the Network Traffic CIM data model. I had compared the CIM model with firewall device and created field aliases for only the CIM fields that is populated by the information available in watchguard logs. But I have to use EVAL command for the above mentioned fields. When checked the props.conf --> Field Extraction configuration document found the below syntax for Eval. https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Propsconf

EVAL- =

EVAL-action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action)
EVAL-tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag)

Can I write like this, Please guide me on this .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you can do that. Try the eval statements in a search before putting them in props.conf.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Hemnaath
Motivator

Hi richgalloway, the field aliases using the EVAL command for a firewall device worked perfectly. Using the below EVAL statement. Thanks a lot.

EVAL-action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action)
EVAL-tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag="AS","SYN AND ACK")

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...