What I'm trying to do is create a field named ids_type and make it equal to network. (ids_type=network)
I'm trying to add a new field to a sourcetype. The name of the field is ids_type. I created an eval statement that works when i run a search. But when I save it as a calculated field it doesn't seem to work. The eval expression is if(rec_type="400","network",null). I have refreshed Splunk, restarted Splunk and changed the permissions of the field calculation to all apps. But it doesn't seem to be working. what else can I troubleshoot?
↧