Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an extracted field using existing calculated field?

chauhanviral82
New Member
‎05-04-2017 12:56 PM

I am trying to create a new extracted field by using existing calculated field. The reason I want to do this is because I came to know that a calculated field can't be used to create another calculated field.

Example of what I am trying to achieve:

  1. Combining values of 2 fields and assigning it to "field_a": eval field_a=case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)
  2. Use values of "field_a" and determine value of "field_b" eval field_b=case(field_a=="expected_value","EXPECTED",field_a=="bad_value","BAD")

I can use this in search line just fine because I can have multiple eval statements in splunk search but I want to define brand new public fields with these same evals and I can't do multiple evals while creating a new public calculated field.
Is there any workaround to achieve #2 above?? i.e. can I create another regex field that uses the same values of "field_a" and use extracted field to create calculated "field_b"?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-04-2017 02:06 PM

Try this for your 2nd calculated field:

eval field_b=case(case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="expected_value","EXPECTED",case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="bad_value","BAD")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-04-2017 02:06 PM

Try this for your 2nd calculated field:

eval field_b=case(case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="expected_value","EXPECTED",case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="bad_value","BAD")
0 Karma
Reply
Solved! Jump to solution

chauhanviral82
New Member
‎05-04-2017 04:13 PM

Thank you so much! I was struggling with how to combine both of these into just one eval statement and this is exactly how I can do it. I really appreciate your help!!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...