Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating new Field for Sourcetype to be searched against based off existing Field

santorof
Communicator
‎12-04-2015 06:13 AM

I have a field called action and the only two possible results are 7 or 8. These relate to blocked or allowed and I want to create a new field similar using something like this:

eval action=case("7","Allowed","8","Blocked")

The new field(action_Taken) should be searchable against but I am not sure if this would be best accomplished through Calculated Fields or a macro and eval. I tried using Calculated Fields but from the documentation I have read It was only for operations not for what I want to use it for. And Macros I am not sure where to start.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-04-2015 07:41 AM

Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.

Take a look at this.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-04-2015 07:41 AM

Hi, I would definitely go for Calculated Fields if you want this to be as transparent as possible for the user. You can even define them from the GUI and restrict permissions so that this calculated field is only extracted for certain users.

Take a look at this.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎12-04-2015 07:48 AM

For instance, look at this built-in calculated field that comes with the Stream app:

name: stream:http : EVAL-action
field name: action
expression:

case(status>=200 AND status<300, "allowed", status>=400, "blocked")

Isn't that very similar to what you are trying to do?

0 Karma
Reply
Solved! Jump to solution

santorof
Communicator
‎12-04-2015 08:03 AM

This worked perfectly. Created a new field that other people can see that's simply Allowed and Blocked. Thank You!

Edit: Any reason I cant search against this new field where action=Allowed
Edit Edit: Reading the documentation fine print " Cannot base calculated field s on lookup fields since evaluation of calculation fields takes place after search time field extraction"

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-04-2015 07:33 AM

Tags may be your answer

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Defineandusetags

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...