Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPL to take a field and make it a different "word"

coloradoark
New Member
‎11-17-2017 12:29 PM

Palo Alto has a field called “flags”. It can have several hex type entries, but what I’m interested in is whether or not a session was decrypted, and this is the field that indicates that. What I could use a little help on, then I can go deeper, is how do I tell a field to return something usable basically say; if the ‘flags’ field is 0x100000 then show me the words “Not Decrypted” and if ‘flags’ field is 0x1500000 then show me “Decrypted”. Past that, and with the syntax, I can build further. I’m guessing it’s a eval command, but can’t figure it out.

help an amateur out? 🙂

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎11-17-2017 03:35 PM

Lots of ways to do that.

First, you can set up a lookup table that translates from one to another.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup

| lookup mylookuptablename oldfieldname OUTPUT newfieldname

Second, if there are only a small number of values, you could use eval and case.

| eval newfield=case(oldfieldname=somevalue, somenewvalue,  
        oldfieldname=somevalue2, somenewvalue2, 
        .... as many statements as you need ...
        true(), somedefaultvalue)

or 

| eval newfield = if(oldfield=somevalue, somenewvalue, othernewvalue)
Reply

niketn
Legend
‎11-17-2017 11:28 PM

@DalJeanis, I would just like to add that in case statistical function (transforming commands like stats, chart or timechart) is being used in the same SPL where field conversion has to happen, then statistical function should be applied first followed by conversion of field for search optimization.

Also, within eval command there could be several functions that can be used, with case() being the most versatile as Dal pointed out: case(), if(), match(), like() etc. See the documentation for Comparison and Condition Eval functions: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions#Supported_fun...

Ideally you should use lookup for easy maintenance as Dal has mentioned. However, if you choose eval, you can save the same a either Macro or Calculated Field knowledge object for easy maintenance and reusability across your dashboards.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2017 05:32 PM

The gist is there are no bitwise operators in SPL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...