Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Set field records & IF Statements

Kdeep
New Member
‎06-16-2013 05:13 PM

When I search my results I want it to update the field accordingly.

For example in my case when i search my Audit logs , The log contains the words "write control" and "Read control" within the text of the log but the field is set to Read Control instead of Write.

So if the log contains the word Write i want it to replace the field Accesses to Write instead of Read.

This is the search I am using

EventCode="5145" NOT Relative_Target_Name="Desktop.ini" NOT Share_Name="\*\IPC$" NOT Relative_Target_Name="\" | table Account_Name,Accesses, Share_Name,Relative_Target_Name,Da_te,Ti_me,AM_PM

Any help with this will be great...

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-17-2013 01:39 AM

..or do you mean that you want to create a new field (within the search) based on some text in the event?

... | eval Accesses = if(match(_raw, "Write Control"), "Write", "Read")

The eval will create the field Accesses (or change it if it already exists). If the string "Write Control" exists within the event (_raw is the whole event), Accesses will be set to "Write", otherwise it will be set to "Read".

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions

/K

Reply

kristian_kolb
Ultra Champion
‎06-17-2013 01:30 AM

It is not really clear what you want to achieve. Do you have problems with the field extraction?

Or do you want to rename the field, based on its value?

Please post a few sample events.

/K

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...