Solved: How to make an existing field equal a certain valu...

wtaylor149 · ‎12-09-2015

I have a need to make an existing field a value if another field is a certain value. Example:

what I want to do:
impact = Vulnerable then severity = high
impact = Potentially Vulnerable then severity = medium

Currently each of the impact fields come in as high, medium or low. We're looking to make them standard and trigger our Splunk ES to set the Urgency based on the severity we tell it.

I've tried the below search but nothing returns in the stats tab:

'my search' | eval severity = case(impact = Vulnerable, "high", impact = "Not Vulnerable", "medium") | stats count by impact, severity

javiergn · ‎12-09-2015

Hi, provided 'my search' is correct, I can't see anything wrong with the eval or the stats count.
Maybe add a default value for your case with

eval severity = case(impact = Vulnerable, "high", impact = "Not Vulnerable", "medium", 1=1, "other")

And see if that's returning anything.

View solution in original post

javiergn · ‎12-09-2015

Hi, provided 'my search' is correct, I can't see anything wrong with the eval or the stats count.
Maybe add a default value for your case with

eval severity = case(impact = Vulnerable, "high", impact = "Not Vulnerable", "medium", 1=1, "other")

And see if that's returning anything.

wtaylor149 · ‎12-09-2015

Much appreciate the quick response however this is not working. The severity is coming up as "other". It is not picking up the eval statements.

I modified the eval statement slightly and it looks like it's working.
| eval severity = case(impact = "Vulnerable", "high", impact = "Not Vulnerable", "medium", 1=1, "other") | stats count by impact, severity

How to make an existing field equal a certain value based on the value of another field?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases