Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Splunk search (EVAL command)

efelder0
Communicator
‎12-20-2011 08:43 AM

I am trying to assign a value to a Severity field when the sourcetype = "low" or "Med" or "high".

I.e. - IF sourcetype = Low, then Severity = "Low".

I am certain that an EVAL statement should work here, but not sure what the statement would read??

thx

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

efelder0
Communicator
‎12-20-2011 11:38 AM

OK, this works now:

eval Severity=if(sourcetype=="Low", "Low", null())

View solution in original post

Reply
Solved! Jump to solution

rtadams89
Contributor
‎12-21-2011 11:48 AM

This is a prime time to use the eval case() function:

| eval Severity = case(sourcetype == "Low", "Low", sourcetype == "Med", "Medium", sourcetype == "High", "High")

Of course, if the value of the "sourcetype" field is always exactly what you want the value of the "Severity" field to be, you could just do:

| eval Severity = sourcetype
Reply
Solved! Jump to solution
Solution

efelder0
Communicator
‎12-20-2011 11:38 AM

OK, this works now:

eval Severity=if(sourcetype=="Low", "Low", null())

Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎12-20-2011 12:35 PM

Excellent, please upvote and accept if this answer helped you.

0 Karma
Reply
Solved! Jump to solution

efelder0
Communicator
‎12-20-2011 10:13 AM

I tried that. In fact, here is the actual search string = sourcetype="McAfee ePo - Med" | eval Severity=if(sourcetype=="McAfee ePo - Med", "Medium") | table Severity

I am getting the following error message: [EventsViewer module] Error in 'eval' command: The arguments to the 'if' function are invalid.

Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎12-20-2011 10:50 AM

Take out the double "=" inside of your eval and give it another parameter - sourcetype="McAfee ePo - Med" | eval Severity=if(sourcetype="McAfee ePo - Med", "Medium",null) | table Severity

The other parameter can be null if you want nothing or another meaningful result as given in the previous example. If you want to evaluate all three Severity types, the example provided before will nest them into one eval.

0 Karma
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎12-20-2011 08:54 AM

What about something along the lines of

eval Severity = if (sourcetype="low", "low", if (sourcetype="med", "med", if (sourcetype="high", "high","No Status")))

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...