- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why isn't calculated field working when trying to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I have some MSAD:NT6:DNS logs I'm trying to massage into the Network Resolution data model. I have a field extraction for message_type and now I'm trying to use a Calculated Field to override the extracted value into the data model expected field.
The extraction portion works great, and I tested the eval at the end of a search and it works fine:
sourcetype="MSAD:NT6:DNS" | eval message_type=if(message_type == "Rcv", "Query", "unknown")
However, when I create the Calculated Field in the web browser (Splunk Cloud, no access to props.conf) nothing changes and the original message_type remains.
Permissions are global, it's enabled and below are the relevant fields in the UI:
Name Field name Eval expression
MSAD:NT6:DNS:EVAL-message_type message_type if(message_type == "Rcv", "Query", "unknown")
I've also tried the eval expression explicitly including the field name:
Name Field name Eval expression
MSAD:NT6:DNS:EVAL-message_type message_type message_type=if(message_type == "Rcv", "Query", "unknown")
I assume there is just something wrong with my eval, but everything I read suggests an eval that works in the search bar should work in a calculated field.
Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just thought I'd get back to you with the solution. It appears there was an app already making the message_type field and I'm guessing that the app had a higher precedence over my field. I decided to use a lookup table and it worked like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first form of the calculated field is the correct one. Remove all the spaces from the expression and try it again. Sometimes Splunk can be funny about that, and since you aren't using the normal search command parser, this could be one of those funny times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm. I thought it worked at first, but I guess I was wrong. Still the same issues.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What happens if instead of trying to overwrite the existing (message_type) field, you try to create a new field with the same if statement?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same result. I cloned it and set the field name to be test_field and the result was identical.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
