Splunk Search

Missing calculated field

ebs
Communicator

Hi,

In the logs being ingested Splunk isn't automatically pulling out the action field, so I'm trying to create one for CIM compliance and so on. When I enter the eval command in the search function of Splunk the field appears as expected, however, when I try to save that as a calculated field it doesn't appear at all. 

I'm on Splunk cloud so I don't have access to the .confs

 

eval command: | eval action = case(status=="200",success,status=="422",failure)

calculated field: case(status=="200",success,status=="422",failure)

Labels (1)
1 Solution

inventsekar
Super Champion

Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.

 

PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.

View solution in original post

inventsekar
Super Champion

is this the first time you are creating a calculated field?(i mean, were you able to create them previously?)
do you have enough capabilities(admin, power, etc).

are your team members able to create a calculated field? 

if all fails, its better to contact your Splunk Cloud Support (as you can not check the conf files), thanks,.

0 Karma

ebs
Communicator

First time creating them in the environment, yes I am an admin and capable of creating them. They are, but when I check the calculated fields they built they don't seem to be working either

inventsekar
Super Champion

Are you able use the calculated fields other created, the same way you tried with the calculated field you created?

The permissions... Did you share with all apps?

Did you followed all steps please...

  1. Select Settings > Fields.
  2. On the row for Calculated Fields, click Add new.
  3. Select the Destination app that will use the calculated field.
  4. Select a host, source, or source type to apply to the calculated field. Provide the name of the host, source, or source type.
    You can also enter a wildcard if you want to apply this for all hosts, sources, or source types.
  5. Name the resultant calculated field.
  6. Provide the eval expression used by the calculated field,

The knowledge object will be private to you when you first create it, meaning that other users cannot see it or use it. For other users to be able to use it, it must be shared to an app, or shared globally. For more information see Manage knowledge object permissions.

0 Karma

ebs
Communicator

I've tried searching for the other calculated fields, they don't seem to be appearing. Yes, my permissions were global and yes I followed all the necessary steps

0 Karma

inventsekar
Super Champion

Better to contact Splunk Cloud Support, as you don't have access to conf files, we can't do much. Thanks.

 

PS...Karma points appreciated. If your question resolved, pls accept this solution. Thanks.

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!