Splunk Search
Highlighted

How to write a field aliases using the EVAL command for a firewall device.

Motivator

Hi All, I need to write a field aliases using EVAL command for the below mentioned fields.

Field Name :         Value
action   --->        Allow
action   ---->       Deny
tcp_flag   --->      A
tcp_flag   --->      S

Eval statement: 
EVAL-action=if(action="Allow", "allowed", action)
EVAL-action=if(action="Deny", "blocked", action)
EVAL-tcp_flag=if(tcp_flag="A","ACK",tcp_flag)
EVAL-tcp_flag=if(tcp_flag="S","SYN",tcp_flag)

Kindly guide me how to write a Field aliases using the Eval command.

thanks in advance.

0 Karma
Highlighted

Re: How to write a field aliases using the EVAL command for a firewall device.

SplunkTrust
SplunkTrust

In search query, the eval commands might look something like this.

... | eval action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action) | eval tcp_flag=case(tcp_flag="A", "ACK", tcp_flag="S", "SYN", tcp_flag) | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: How to write a field aliases using the EVAL command for a firewall device.

Motivator

Hi Richgalloway, thanks for your effort on this, actually my requirement is to use props/transforms to apply field aliases and evals as needed for a firewall device using the Network Traffic CIM data model. I had compared the CIM model with firewall device and created field aliases for only the CIM fields that is populated by the information available in watchguard logs. But I have to use EVAL command for the above mentioned fields. When checked the props.conf --> Field Extraction configuration document found the below syntax for Eval. https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Propsconf

EVAL- =

EVAL-action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action)
EVAL-tcpflag=case(tcpflag="A", "ACK", tcpflag="S", "SYN", tcpflag)

Can I write like this, Please guide me on this .

0 Karma
Highlighted

Re: How to write a field aliases using the EVAL command for a firewall device.

SplunkTrust
SplunkTrust

Yes, you can do that. Try the eval statements in a search before putting them in props.conf.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to write a field aliases using the EVAL command for a firewall device.

Motivator

Hi richgalloway, the field aliases using the EVAL command for a firewall device worked perfectly. Using the below EVAL statement. Thanks a lot.

EVAL-action=case(action="Allow", "allowed", action="Deny", "blocked", 1=1, action)
EVAL-tcpflag=case(tcpflag="A", "ACK", tcpflag="S", "SYN", tcpflag="AS","SYN AND ACK")

0 Karma