![]() ![]() eval vulnagelastSeen-firstSeen will give you the difference between firstSeen and lastSeen. However neither of two is working: I got some SPL grammar or logic problem that still can't solve. Splunk Platform Save as PDF Share You have fields in your data that contain some commonalities. Calculating the delta is very easy with the epoch timestamps, so you wont need the evals you posted. ![]() Now I want to expand this query in two waysġ- Including multiple conditions for the same value (to save writing a sigle eval for each case) | eval Myfield=if(Like(Myfield, "%Windows%" OR "%Office%" OR "%Notepad%"), "Microsoft", Myfield)Ģ - Including an "Other" value for everything that is not specified | eval Myfield=if(NOT Like(Myfield, "%Windows%" OR "%iPhone%" OR "%Android%"), "Other", Myfield) Description The eval command calculates an expression and puts the resulting value into a search results field. These should just be combined into a single field. But, it will not work and give blank results if none of my split results into 5 parts (0,1,2,3,4) i.e. Only one field is ever populated at any one time so it is a bit redundant to have two fields that hold very similar information. It will work if at least one of my split results into 5 parts (0,1,2,3,4). With a simple stats count by MyField i got both the number of Microsoft, Apple and Google values and the explicit values for everything else. I have two fields I would like to combine into one field. | eval Myfield=if(Like(Myfield, "%Android%"), "Google", Myfield) | eval Myfield=if(Like(Myfield, "%iPhone%"), "Apple", Myfield) I got some problems categorizing a custom field according to its content to do so I am using multiple eval IF commands: | eval Myfield=if(Like(Myfield, "%Windows%"), "Microsoft", Myfield) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |