Splunk If else and severity search query

puneetkharband1 · ‎09-08-2020

I am trying to write splunk search where I have 2 conditions and my query returns the results based on that

for example if condition1 matches create a new field (SEVERITY)=SEV2
if condition 2 matches SEVERITY=SEV2
else SEVERITY=SEV3

How can I achieve this ...In my search string I am using couple of fields to filter the data putting that as SEV2 criteria ...I am able to filter it but and get the results for both the conditions but I am stuck where I cannot call everything else as SEV3

ITWhisperer · ‎09-08-2020

| eval SEVERITY=if(condition1,"SEV2",if(condition2,"SEV2","SEV3"))

ITWhisperer · ‎09-08-2020

| eval SEVERITY=if(index=abc AND sourcetype=QWE AND action=XYZ, "SEV2", if(NOT (test=blabla AND action=xyz), "SEV2", "SEV3"))

Can you give an example of your current queries for a little context to what you are asking for?

puneetkharband1 · ‎09-08-2020

not sure you understood my question ...thanks for looking into that ....but how to define the condition in the search thats where I am getting confused

Condition 1
Index=abc sourcetype=QWE
action=XYZ
OR
condition2
NOT (test=blablaand action=xyz)

Splunk If else and severity search query

eval

lookup

table

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...