Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transformation fields using Splunk UI

veera9
New Member
‎09-23-2017 05:38 PM

Team,
I need help in defining 3 new fields using Splunk User interface.

  1. Decision=Agree , Field Name should be "Decision" and Matching values is "Agree".
  2. Fieldname is "Time" , need this in the Timestamp format ( Dateand HH:MM:SS)
  3. SourceIP

Any help is greatly appreciated.

Tags (1)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-24-2017 06:25 AM

As @Sukisen1981 says, example data is needed. Without it, almost any answer will be a shot in the dark. You can obfuscate the data, but don't change the nature of it so that it is useful in helping you.

0 Karma
Reply

veera9
New Member
‎09-24-2017 08:39 AM

Is it OK to use "eval" in the Splunk field transformation UI?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-24-2017 12:47 PM

As far as I know there is no way to do eval type expression in the Transformations. Not in the UI, or in the .conf files.

0 Karma
Reply

veera9
New Member
‎09-24-2017 01:21 PM

Thank you so much. Below are my requirements:

I want to define a field using the UI in Field Transformations in Field settings:

The field need to match a string value ex: "Agreed". I want the field name to be defined as "Decision".

When I search in the search box, I want the field "Decision" to appear in the list of fields.
Thank you for your time.
Raghu

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-24-2017 02:30 PM

You may want a transform. You may want a field extraction. They are similar. If the fields you want are related to a sourcetype, or to a source, then do a field extraction. If you want it to happen on any data, then do a transform.

But, I can't help you without an example data to look at. Just to look for a string and then make a field could be useful, and may not be. I assume from your description that you could have something other than Agreed as a value for Decision, otherwise you would never care about doing a field extraction. What you ask for without an example is equivalent to marking everything blue that you see as your favorite car.

0 Karma
Reply

Sukisen1981
Champion
‎09-24-2017 04:44 AM

1- Not clear, assuming you have a field, say X which has 'agree' and other values, if so try
eval Decision=Case(X="Agree","Decision")
2- eval Time=strftime(_time,"%d %H:%M:%S"). Are you missing year and/ or month components?
3- Witthout looking at your data its is hard to say but have you looked at this? ip extraction is very common question answered many times befre

https://answers.splunk.com/answers/49448/extract-ip-address-with-rex-or-trim.html
https://answers.splunk.com/answers/48882/need-to-extract-ip-address.html
https://answers.splunk.com/answers/438684/rex-ip-address-extraction.html

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...