Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPL to take a field and make it a different "word"

coloradoark
New Member
‎11-17-2017 12:29 PM

Palo Alto has a field called “flags”. It can have several hex type entries, but what I’m interested in is whether or not a session was decrypted, and this is the field that indicates that. What I could use a little help on, then I can go deeper, is how do I tell a field to return something usable basically say; if the ‘flags’ field is 0x100000 then show me the words “Not Decrypted” and if ‘flags’ field is 0x1500000 then show me “Decrypted”. Past that, and with the syntax, I can build further. I’m guessing it’s a eval command, but can’t figure it out.

help an amateur out? 🙂

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎11-17-2017 03:35 PM

Lots of ways to do that.

First, you can set up a lookup table that translates from one to another.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup

| lookup mylookuptablename oldfieldname OUTPUT newfieldname

Second, if there are only a small number of values, you could use eval and case.

| eval newfield=case(oldfieldname=somevalue, somenewvalue,  
        oldfieldname=somevalue2, somenewvalue2, 
        .... as many statements as you need ...
        true(), somedefaultvalue)

or 

| eval newfield = if(oldfield=somevalue, somenewvalue, othernewvalue)
Reply

niketn
Legend
‎11-17-2017 11:28 PM

@DalJeanis, I would just like to add that in case statistical function (transforming commands like stats, chart or timechart) is being used in the same SPL where field conversion has to happen, then statistical function should be applied first followed by conversion of field for search optimization.

Also, within eval command there could be several functions that can be used, with case() being the most versatile as Dal pointed out: case(), if(), match(), like() etc. See the documentation for Comparison and Condition Eval functions: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions#Supported_fun...

Ideally you should use lookup for easy maintenance as Dal has mentioned. However, if you choose eval, you can save the same a either Macro or Calculated Field knowledge object for easy maintenance and reusability across your dashboards.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2017 05:32 PM

The gist is there are no bitwise operators in SPL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...