I am trying to create a new extracted field by using existing calculated field. The reason I want to do this is because I came to know that a calculated field can't be used to create another calculated field.
Example of what I am trying to achieve:
eval field_a=case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)
eval field_b=case(field_a=="expected_value","EXPECTED",field_a=="bad_value","BAD")
I can use this in search line just fine because I can have multiple eval statements in splunk search but I want to define brand new public fields with these same evals and I can't do multiple evals while creating a new public calculated field.
Is there any workaround to achieve #2 above?? i.e. can I create another regex field that uses the same values of "field_a" and use extracted field to create calculated "field_b"?
Try this for your 2nd calculated field:
eval field_b=case(case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="expected_value","EXPECTED",case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="bad_value","BAD")
Try this for your 2nd calculated field:
eval field_b=case(case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="expected_value","EXPECTED",case(value_of_field=="a",value_of_field_x . "_" . value_of_field_y)=="bad_value","BAD")
Thank you so much! I was struggling with how to combine both of these into just one eval statement and this is exactly how I can do it. I really appreciate your help!!