Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating new Field for Sourcetype to be searched against based off existing Field

santorof
Path Finder
‎12-04-2015 06:13 AM

I have a field called action and the only two possible results are 7 or 8. These relate to blocked or allowed and I want to create a new field similar using something like this:

eval action=case("7","Allowed","8","Blocked")

The new field(action_Taken) should be searchable against but I am not sure if this would be best accomplished through Calculated Fields or a macro and eval. I tried using Calculated Fields but from the documentation I have read It was only for operations not for what I want to use it for. And Macros I am not sure where to start.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-04-2015 07:41 AM

Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.

Take a look at this.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-04-2015 07:41 AM

Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.

Take a look at this.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎12-04-2015 07:48 AM

For instance, look at this built-in calculated field that comes with the Stream app:

name: stream:http : EVAL-action
field name: action
expression:

case(status>=200 AND status<300, "allowed", status>=400, "blocked")

Isn't that very similar to what you are trying to do?

0 Karma
Reply
Solved! Jump to solution

santorof
Path Finder
‎12-04-2015 08:03 AM

This worked perfectly. Created a new field that other people can see that's simply Allowed and Blocked. Thank You!

Edit: Any reason I cant search against this new field where action=Allowed
Edit Edit: Reading the documentation fine print " Cannot base calculated field s on lookup fields since evaluation of calculation fields takes place after search time field extraction"

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-04-2015 07:33 AM

Tags may be your answer

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Defineandusetags

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...