Splunk Search

Transformation fields using Splunk UI

veera9
New Member

Team,
I need help in defining 3 new fields using Splunk User interface.

  1. Decision=Agree , Field Name should be "Decision" and Matching values is "Agree".
  2. Fieldname is "Time" , need this in the Timestamp format ( Dateand HH:MM:SS)
  3. SourceIP

Any help is greatly appreciated.

Tags (1)
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

As @Sukisen1981 says, example data is needed. Without it, almost any answer will be a shot in the dark. You can obfuscate the data, but don't change the nature of it so that it is useful in helping you.

0 Karma

veera9
New Member

Is it OK to use "eval" in the Splunk field transformation UI?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

As far as I know there is no way to do eval type expression in the Transformations. Not in the UI, or in the .conf files.

0 Karma

veera9
New Member

Thank you so much. Below are my requirements:

I want to define a field using the UI in Field Transformations in Field settings:

The field need to match a string value ex: "Agreed". I want the field name to be defined as "Decision".

When I search in the search box, I want the field "Decision" to appear in the list of fields.
Thank you for your time.
Raghu

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

You may want a transform. You may want a field extraction. They are similar. If the fields you want are related to a sourcetype, or to a source, then do a field extraction. If you want it to happen on any data, then do a transform.

But, I can't help you without an example data to look at. Just to look for a string and then make a field could be useful, and may not be. I assume from your description that you could have something other than Agreed as a value for Decision, otherwise you would never care about doing a field extraction. What you ask for without an example is equivalent to marking everything blue that you see as your favorite car.

0 Karma

Sukisen1981
Champion

1- Not clear, assuming you have a field, say X which has 'agree' and other values, if so try
eval Decision=Case(X="Agree","Decision")
2- eval Time=strftime(_time,"%d %H:%M:%S"). Are you missing year and/ or month components?
3- Witthout looking at your data its is hard to say but have you looked at this? ip extraction is very common question answered many times befre

https://answers.splunk.com/answers/49448/extract-ip-address-with-rex-or-trim.html
https://answers.splunk.com/answers/48882/need-to-extract-ip-address.html
https://answers.splunk.com/answers/438684/rex-ip-address-extraction.html

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...