Hi guys,
I am trying to create an evaluated field, action, that will contain different values from different fields based on whether the eventtype is change for mapping to the change and authentication CIM models action field respectively. After some research and searching around, I still am stuck at it.
My current eval statement is:
eval action = if('tag::eventtype'!="change", outcome, mod_action)
Examples of values: outcome=> success, failure mod_action=> modified, deleted
Could someone kindly advise me as to what I am doing wrong here? Why is it that when I try this splunk always evaluates action to either outcome or mod_action, and not either of them depending on the eventtype? Thanks and have a pleasant day ahead π
... View more