topic Coalesce in transforms in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Coalesce-in-transforms/m-p/397898#M70949 <P>Hello,</P> <P>I am working with some apache logs that <EM>can</EM> go through one or more proxies, when a request go through a proxy a X-forwarded-for header is added. The problem is that the apache logs show the client IP as the last address the request came from. The logs do however add the X-forwarded-for entries to the end of the log entry if they exist.</P> <P>What I need to do is get the clientip field updated via transforms to the correct address so that the web analytics app gets the correct data. The following search shows an example of the goal.</P> <PRE><CODE>index=weblogs | rex field=other "^(?&lt;first_forward&gt;[0-9\.]+)" | eval clientip=coalesce(first_forward, clientip) </CODE></PRE> <P>The <EM>other</EM> field is already extracted and contains a comma separated list of the X-forwarded-for headers.</P> <P>I see two options on how to solve this, unless there is some magic way to do evals in transforms/props.</P> <P>1) I could create a regex to extract the values in transforms, but not sure how to coalesce them in transforms/props.</P> <P>2) Create a macro that does the job, but then I would need to update every search in the app and this would make updating the app lame.</P> <P>Any ideas?</P> Thu, 09 Aug 2018 18:12:15 GMT knutsod 2018-08-09T18:12:15Z Coalesce in transforms https://community.splunk.com/t5/Getting-Data-In/Coalesce-in-transforms/m-p/397898#M70949 <P>Hello,</P> <P>I am working with some apache logs that <EM>can</EM> go through one or more proxies, when a request go through a proxy a X-forwarded-for header is added. The problem is that the apache logs show the client IP as the last address the request came from. The logs do however add the X-forwarded-for entries to the end of the log entry if they exist.</P> <P>What I need to do is get the clientip field updated via transforms to the correct address so that the web analytics app gets the correct data. The following search shows an example of the goal.</P> <PRE><CODE>index=weblogs | rex field=other "^(?&lt;first_forward&gt;[0-9\.]+)" | eval clientip=coalesce(first_forward, clientip) </CODE></PRE> <P>The <EM>other</EM> field is already extracted and contains a comma separated list of the X-forwarded-for headers.</P> <P>I see two options on how to solve this, unless there is some magic way to do evals in transforms/props.</P> <P>1) I could create a regex to extract the values in transforms, but not sure how to coalesce them in transforms/props.</P> <P>2) Create a macro that does the job, but then I would need to update every search in the app and this would make updating the app lame.</P> <P>Any ideas?</P> Thu, 09 Aug 2018 18:12:15 GMT https://community.splunk.com/t5/Getting-Data-In/Coalesce-in-transforms/m-p/397898#M70949 knutsod 2018-08-09T18:12:15Z