Splunk Search

Why isn't calculated field working when trying to override an extracted value into a Network Resolution (DNS) data model's expected field?

j4adam
Communicator

Hi all,

I have some MSAD:NT6:DNS logs I'm trying to massage into the Network Resolution data model. I have a field extraction for message_type and now I'm trying to use a Calculated Field to override the extracted value into the data model expected field.

The extraction portion works great, and I tested the eval at the end of a search and it works fine:

sourcetype="MSAD:NT6:DNS" | eval message_type=if(message_type == "Rcv", "Query", "unknown")

However, when I create the Calculated Field in the web browser (Splunk Cloud, no access to props.conf) nothing changes and the original message_type remains.

Permissions are global, it's enabled and below are the relevant fields in the UI:

              Name               Field name                  Eval expression
MSAD:NT6:DNS:EVAL-message_type  message_type    if(message_type == "Rcv", "Query", "unknown")

I've also tried the eval expression explicitly including the field name:

              Name               Field name                  Eval expression
MSAD:NT6:DNS:EVAL-message_type  message_type    message_type=if(message_type == "Rcv", "Query", "unknown")

I assume there is just something wrong with my eval, but everything I read suggests an eval that works in the search bar should work in a calculated field.

Thoughts?

1 Solution

j4adam
Communicator

Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.

View solution in original post

0 Karma

j4adam
Communicator

Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.

0 Karma

lguinn2
Legend

The first form of the calculated field is the correct one. Remove all the spaces from the expression and try it again. Sometimes Splunk can be funny about that, and since you aren't using the normal search command parser, this could be one of those funny times.

0 Karma

j4adam
Communicator

Hmmm. I thought it worked at first, but I guess I was wrong. Still the same issues.

0 Karma

masonmorales
Influencer

What happens if instead of trying to overwrite the existing (message_type) field, you try to create a new field with the same if statement?

0 Karma

j4adam
Communicator

Same result. I cloned it and set the field name to be test_field and the result was identical.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...