Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiple Evals with multiple values that requires ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple Evals with multiple values that requires renaming
Hello,
I understand that you can have two evals in one line but i keep getting several errors when i try to combine two.
This eval is going into the calculated field to pull info from another field as well.
Attempted Eval:
lower(if(isnull(action),attempted_action,action)), case(action == "OVERWRITTEN", "modified", action == "OPENED", "read", action == "DOES_NOT_EXIST", "deleted", action == "SUPERSEDED", "acl_modified", action == "CREATED", "created")
What am I trying to achieve?
We want the action to display the attempted action field when the action field is blank. With the attempted action values, there are about 7 values that will appear in the action field. I would like them to be renamed to make the CIM data models in some way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=20
| eval attempt_action="attempt"
| eval action=mvindex(split("OverWritten,Opened,Does_Not_Exist,Superseded,Created,",","),random()% 6)
| eval action=if(action="",NULL,action)
| fields - _time
| rename COMMENT as "this is sample, how about this eval logic?"
| eval result=case(isnull(action),attempt_action,upper(action) == "OVERWRITTEN", "modified", upper(action) == "OPENED", "read", upper(action) == "DOES_NOT_EXIST", "deleted", upper(action) == "SUPERSEDED", "acl_modified", upper(action) == "CREATED", "created")lower() can't work. try upper()
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick response.
The values that come back from both action & attempted_action fields are:
| Open |
| Set_security |
| Rename |
| Delete |
| Opened |
| Superseded |
| Created |
| Does_not_exist |
| Exists |
| Overwitten |
However some of these values may come back in all caps. I am using the lower() to make all values come back in all lowercase. Would this still work with lower or upper must still be used?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=20
| eval action=mvindex(split("OverWritten,Opened,Does_Not_Exist,Superseded,Created,",","),random()% 6)
| eval attempt_action=mvindex(split("OverWritten,Opened,Does_Not_Exist,Superseded,Created",","),random()% 5)
| eval action=if(action="",NULL,action)
| fields - _time
| rename COMMENT as "this is sample, how about this eval logic?"
| eval action=upper(if(isnull(action),attempt_action,action))
| eval result=case(action="OVERWRITTEN", "modified",action="OPENED","read", action="DOES_NOT_EXIST", "deleted", action = "SUPERSEDED", "acl_modified", action = "CREATED", "created")You used capitalized words(e.g. OVERWRITTEN), so I use upper()
lower() lowercase letters. Which command you use is as you like.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much! this works
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
