Hi,
In the logs being ingested Splunk isn't automatically pulling out the action field, so I'm trying to create one for CIM compliance and so on. When I enter the eval command in the search function of Splunk the field appears as expected, however, when I try to save that as a calculated field it doesn't appear at all.
I'm on Splunk cloud so I don't have access to the .confs
eval command: | eval action = case(status=="200",success,status=="422",failure)
calculated field: case(status=="200",success,status=="422",failure)
Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.
PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.
is this the first time you are creating a calculated field?(i mean, were you able to create them previously?)
do you have enough capabilities(admin, power, etc).
are your team members able to create a calculated field?
if all fails, its better to contact your Splunk Cloud Support (as you can not check the conf files), thanks,.
First time creating them in the environment, yes I am an admin and capable of creating them. They are, but when I check the calculated fields they built they don't seem to be working either
Are you able use the calculated fields other created, the same way you tried with the calculated field you created?
The permissions... Did you share with all apps?
Did you followed all steps please...
The knowledge object will be private to you when you first create it, meaning that other users cannot see it or use it. For other users to be able to use it, it must be shared to an app, or shared globally. For more information see Manage knowledge object permissions.
I've tried searching for the other calculated fields, they don't seem to be appearing. Yes, my permissions were global and yes I followed all the necessary steps
Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.
PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.