Solved: eval expression to create a field with values more...

changux · ‎03-04-2016

Hi all.

I have a field called src with values like:

I want to create a new field that only shows the values that are greater than 1000, my search string looks like:

... | where src > 1000

I tried directly with ... | eval field= where src > 1000 and doesn't work. Also, tested with eval field=command(search subsearch) and also doesn't work.

Suggestions?

somesoni2 · ‎03-04-2016

Not sure what you're trying to achieve here. Do you want to create a new field if the value of src is greater than 1000 and store the value of src in the new field? If yes then try this

...| eval newfield=if(src>1000,src,null())

View solution in original post

somesoni2 · ‎03-04-2016

Not sure what you're trying to achieve here. Do you want to create a new field if the value of src is greater than 1000 and store the value of src in the new field? If yes then try this

...| eval newfield=if(src>1000,src,null())

eval expression to create a field with values more than other field

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

eval expression to create a field with values more than other field

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk