Solved: eval expression to create a field with values more...

changux · ‎03-04-2016

Hi all.

I have a field called src with values like:

I want to create a new field that only shows the values that are greater than 1000, my search string looks like:

... | where src > 1000

I tried directly with ... | eval field= where src > 1000 and doesn't work. Also, tested with eval field=command(search subsearch) and also doesn't work.

Suggestions?

somesoni2 · ‎03-04-2016

Not sure what you're trying to achieve here. Do you want to create a new field if the value of src is greater than 1000 and store the value of src in the new field? If yes then try this

...| eval newfield=if(src>1000,src,null())

View solution in original post

somesoni2 · ‎03-04-2016

Not sure what you're trying to achieve here. Do you want to create a new field if the value of src is greater than 1000 and store the value of src in the new field? If yes then try this

...| eval newfield=if(src>1000,src,null())

eval expression to create a field with values more than other field

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

eval expression to create a field with values more than other field

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...