I am new to Splunk and I am creating a dashboard with events. I would like to create a new field on the event which will have a value based on another field.
P.S I already included the existing field as part of search .
For example:
When existing field has 'XXX' in it, I need to populate 'ABC' in the new field and 'YYY' as 'CDE'
Your sentence can be read 2 ways. @sundareshr has interpreted and answered it one way, here is the other:
... | eval newfield=if(existingfield="XXX", "AAA", null()) | eval YYY=if(existingfield="XXX", "CDE", null()) | ...
Try this
... | eval newfield=case(existingfield="XXX", "AAA", existingfield="YYY", "CDE", 1=1, null()) | ...