Hi,
I am trying to calculate a field from a data that I receive from a vulnerability system.
severity field returns "unknown" which screws my dashboards.
I want to eval a field `'category' and if it equals INFO, set field 'severity' to Informational
search ... | eval severity=if(category,"INFO","Informational")
Try to assign it back to itself then if u want it to stay unmodified:
| eval severity=if(category=="INFO","informational", severity)
Try this out:
search ... | eval severity=case(match(category,"INFO"), "Informational", severity)
Try to assign it back to itself then if u want it to stay unmodified:
| eval severity=if(category=="INFO","informational", severity)
Thanks all. This is working exactly how I wanted it to work.
Ok I got here....
| eval severity=if(category=="INFO","informational", " ")
What should my last argument be if I want the severity to stay unmodified if it does not equal INFO ?