Solved: create if statment whose result will create a new ...

bugnet · ‎04-18-2017

Hi all,

There is a way to create if statment whose result will create a new field with a constant value?

For exemple:

In a ten-minute time window:
if DeviceProduct=IPS pririty=7 AND src=10.10.10.10 And DeviceAction=block --> create new field with constant value: Action=B

gcusello · ‎04-18-2017

Hi bugnet,
did you tried something like this:

| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")

Bye.
Giuseppe

View solution in original post

niketn · ‎04-18-2017

Are you looking for something like following?

| eval Action=case(DeviceProduct=="IPS" AND pririty=="7" AND src="10.10.10.10" AND DeviceAction=="block","B",1==1,"OTHER")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gcusello · ‎04-18-2017

Hi bugnet,
did you tried something like this:

| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")

Bye.
Giuseppe

create if statment whose result will create a new field with a constant value?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

create if statment whose result will create a new field with a constant value?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...