Solved: eval expression to create a field with values more...

changux · ‎03-04-2016

Hi all.

I have a field called src with values like:

I want to create a new field that only shows the values that are greater than 1000, my search string looks like:

... | where src > 1000

I tried directly with ... | eval field= where src > 1000 and doesn't work. Also, tested with eval field=command(search subsearch) and also doesn't work.

Suggestions?

somesoni2 · ‎03-04-2016

Not sure what you're trying to achieve here. Do you want to create a new field if the value of src is greater than 1000 and store the value of src in the new field? If yes then try this

...| eval newfield=if(src>1000,src,null())

View solution in original post

somesoni2 · ‎03-04-2016

Not sure what you're trying to achieve here. Do you want to create a new field if the value of src is greater than 1000 and store the value of src in the new field? If yes then try this

...| eval newfield=if(src>1000,src,null())

eval expression to create a field with values more than other field

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

eval expression to create a field with values more than other field

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits