Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Missing calculated field

ebs
Communicator
‎10-28-2020 05:55 PM

Hi,

In the logs being ingested Splunk isn't automatically pulling out the action field, so I'm trying to create one for CIM compliance and so on. When I enter the eval command in the search function of Splunk the field appears as expected, however, when I try to save that as a calculated field it doesn't appear at all. 

I'm on Splunk cloud so I don't have access to the .confs

 

eval command: | eval action = case(status=="200",success,status=="422",failure)

calculated field: case(status=="200",success,status=="422",failure)

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-28-2020 09:18 PM

Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.

 

PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-28-2020 07:21 PM

is this the first time you are creating a calculated field?(i mean, were you able to create them previously?)
do you have enough capabilities(admin, power, etc).

are your team members able to create a calculated field? 

if all fails, its better to contact your Splunk Cloud Support (as you can not check the conf files), thanks,.

0 Karma
Reply
Solved! Jump to solution

ebs
Communicator
‎10-28-2020 07:24 PM

First time creating them in the environment, yes I am an admin and capable of creating them. They are, but when I check the calculated fields they built they don't seem to be working either

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-28-2020 09:03 PM

Are you able use the calculated fields other created, the same way you tried with the calculated field you created?

The permissions... Did you share with all apps?

Did you followed all steps please...

  1. Select Settings > Fields.
  2. On the row for Calculated Fields, click Add new.
  3. Select the Destination app that will use the calculated field.
  4. Select a host, source, or source type to apply to the calculated field. Provide the name of the host, source, or source type.
    You can also enter a wildcard if you want to apply this for all hosts, sources, or source types.
  5. Name the resultant calculated field.
  6. Provide the eval expression used by the calculated field,

The knowledge object will be private to you when you first create it, meaning that other users cannot see it or use it. For other users to be able to use it, it must be shared to an app, or shared globally. For more information see Manage knowledge object permissions.

0 Karma
Reply
Solved! Jump to solution

ebs
Communicator
‎10-28-2020 09:05 PM

I've tried searching for the other calculated fields, they don't seem to be appearing. Yes, my permissions were global and yes I followed all the necessary steps

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-28-2020 09:18 PM

Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.

 

PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...