Splunk Search

Missing calculated field

ebs
Communicator

Hi,

In the logs being ingested Splunk isn't automatically pulling out the action field, so I'm trying to create one for CIM compliance and so on. When I enter the eval command in the search function of Splunk the field appears as expected, however, when I try to save that as a calculated field it doesn't appear at all. 

I'm on Splunk cloud so I don't have access to the .confs

 

eval command: | eval action = case(status=="200",success,status=="422",failure)

calculated field: case(status=="200",success,status=="422",failure)

Labels (1)
1 Solution

inventsekar
Ultra Champion

Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.

 

PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.

View solution in original post

inventsekar
Ultra Champion

is this the first time you are creating a calculated field?(i mean, were you able to create them previously?)
do you have enough capabilities(admin, power, etc).

are your team members able to create a calculated field? 

if all fails, its better to contact your Splunk Cloud Support (as you can not check the conf files), thanks,.

0 Karma

ebs
Communicator

First time creating them in the environment, yes I am an admin and capable of creating them. They are, but when I check the calculated fields they built they don't seem to be working either

inventsekar
Ultra Champion

Are you able use the calculated fields other created, the same way you tried with the calculated field you created?

The permissions... Did you share with all apps?

Did you followed all steps please...

  1. Select Settings > Fields.
  2. On the row for Calculated Fields, click Add new.
  3. Select the Destination app that will use the calculated field.
  4. Select a host, source, or source type to apply to the calculated field. Provide the name of the host, source, or source type.
    You can also enter a wildcard if you want to apply this for all hosts, sources, or source types.
  5. Name the resultant calculated field.
  6. Provide the eval expression used by the calculated field,

The knowledge object will be private to you when you first create it, meaning that other users cannot see it or use it. For other users to be able to use it, it must be shared to an app, or shared globally. For more information see Manage knowledge object permissions.

0 Karma

ebs
Communicator

I've tried searching for the other calculated fields, they don't seem to be appearing. Yes, my permissions were global and yes I followed all the necessary steps

0 Karma

inventsekar
Ultra Champion

Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.

 

PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...