Solved: Re: If - Then Logic in Table Results With Column V...

SplunkLunk · ‎06-07-2017

Good morning,

I have a search that looks through and Oracle database for an ACTION_NAME:

source="dbx:[DB source]" sourcetype="oracle:audit:trail" USERNAME!=SYS AND ACTION_NAME=LOGON

Those events also include a RETURNCODE which defines if it was a successful logon. For example if the ACTION_CODE=LOGON and RETURNCODE=0, then it was a successful login. If ACTION_CODE=LOGON and RETURNCODE!=0, then it was a failed logon. How can I build a table that displays the RETUNRCODE as a text value of "Failed" or "Successful" based on the RETURNCODE value of 0 or <>0?

Any help would be appreciated. Thanks.

rjthibod · ‎06-07-2017

You can add the following to your query

| eval LogonStatus = if (RETURNCODE==0, "Successful", "Failed")

After that you will have a new field LogonStatus that you can use in your table as you see fit.

View solution in original post

rjthibod · ‎06-07-2017

You can add the following to your query

| eval LogonStatus = if (RETURNCODE==0, "Successful", "Failed")

After that you will have a new field LogonStatus that you can use in your table as you see fit.

SplunkLunk · ‎06-07-2017

Thank you! That is exactly what I am looking for! Much Appreciated.

If - Then Logic in Table Results With Column Value Based on Field Results in Search

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?