Splunk Search

Why isn't calculated field working when trying to override an extracted value into a Network Resolution (DNS) data model's expected field?

j4adam
Communicator

Hi all,

I have some MSAD:NT6:DNS logs I'm trying to massage into the Network Resolution data model. I have a field extraction for message_type and now I'm trying to use a Calculated Field to override the extracted value into the data model expected field.

The extraction portion works great, and I tested the eval at the end of a search and it works fine:

sourcetype="MSAD:NT6:DNS" | eval message_type=if(message_type == "Rcv", "Query", "unknown")

However, when I create the Calculated Field in the web browser (Splunk Cloud, no access to props.conf) nothing changes and the original message_type remains.

Permissions are global, it's enabled and below are the relevant fields in the UI:

              Name               Field name                  Eval expression
MSAD:NT6:DNS:EVAL-message_type  message_type    if(message_type == "Rcv", "Query", "unknown")

I've also tried the eval expression explicitly including the field name:

              Name               Field name                  Eval expression
MSAD:NT6:DNS:EVAL-message_type  message_type    message_type=if(message_type == "Rcv", "Query", "unknown")

I assume there is just something wrong with my eval, but everything I read suggests an eval that works in the search bar should work in a calculated field.

Thoughts?

1 Solution

j4adam
Communicator

Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.

View solution in original post

0 Karma

j4adam
Communicator

Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.

0 Karma

lguinn2
Legend

The first form of the calculated field is the correct one. Remove all the spaces from the expression and try it again. Sometimes Splunk can be funny about that, and since you aren't using the normal search command parser, this could be one of those funny times.

0 Karma

j4adam
Communicator

Hmmm. I thought it worked at first, but I guess I was wrong. Still the same issues.

0 Karma

masonmorales
Influencer

What happens if instead of trying to overwrite the existing (message_type) field, you try to create a new field with the same if statement?

0 Karma

j4adam
Communicator

Same result. I cloned it and set the field name to be test_field and the result was identical.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...