Hi all,
There is a way to create if statment whose result will create a new field with a constant value?
For exemple:
In a ten-minute time window:
if DeviceProduct=IPS pririty=7 AND src=10.10.10.10 And DeviceAction=block --> create new field with constant value: Action=B
Hi bugnet,
did you tried something like this:
| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")
Bye.
Giuseppe
Are you looking for something like following?
| eval Action=case(DeviceProduct=="IPS" AND pririty=="7" AND src="10.10.10.10" AND DeviceAction=="block","B",1==1,"OTHER")
Hi bugnet,
did you tried something like this:
| eval new_field=if(DeviceProduct="IPS" AND pririty=7 AND src="10.10.10.10" AND DeviceAction="block","constant_value")
Bye.
Giuseppe