Solved: create if statment whose result will create a new ...

bugnet · ‎04-18-2017

Hi all,

There is a way to create if statment whose result will create a new field with a constant value?

For exemple:

In a ten-minute time window:
if DeviceProduct=IPS pririty=7 AND src=10.10.10.10 And DeviceAction=block --> create new field with constant value: Action=B

gcusello · ‎04-18-2017

Hi bugnet,
did you tried something like this:

| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")

Bye.
Giuseppe

View solution in original post

niketn · ‎04-18-2017

Are you looking for something like following?

| eval Action=case(DeviceProduct=="IPS" AND pririty=="7" AND src="10.10.10.10" AND DeviceAction=="block","B",1==1,"OTHER")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gcusello · ‎04-18-2017

Hi bugnet,
did you tried something like this:

| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")

Bye.
Giuseppe

create if statment whose result will create a new field with a constant value?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

create if statment whose result will create a new field with a constant value?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits