Hi all,
I have some MSAD:NT6:DNS logs I'm trying to massage into the Network Resolution data model. I have a field extraction for message_type and now I'm trying to use a Calculated Field to override the extracted value into the data model expected field.
The extraction portion works great, and I tested the eval at the end of a search and it works fine:
sourcetype="MSAD:NT6:DNS" | eval message_type=if(message_type == "Rcv", "Query", "unknown")
However, when I create the Calculated Field in the web browser (Splunk Cloud, no access to props.conf) nothing changes and the original message_type remains.
Permissions are global, it's enabled and below are the relevant fields in the UI:
Name Field name Eval expression
MSAD:NT6:DNS:EVAL-message_type message_type if(message_type == "Rcv", "Query", "unknown")
I've also tried the eval expression explicitly including the field name:
Name Field name Eval expression
MSAD:NT6:DNS:EVAL-message_type message_type message_type=if(message_type == "Rcv", "Query", "unknown")
I assume there is just something wrong with my eval, but everything I read suggests an eval that works in the search bar should work in a calculated field.
Thoughts?
Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.
Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.
The first form of the calculated field is the correct one. Remove all the spaces from the expression and try it again. Sometimes Splunk can be funny about that, and since you aren't using the normal search command parser, this could be one of those funny times.
Hmmm. I thought it worked at first, but I guess I was wrong. Still the same issues.
What happens if instead of trying to overwrite the existing (message_type) field, you try to create a new field with the same if statement?
Same result. I cloned it and set the field name to be test_field and the result was identical.