https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132245#M36056 <P>I worked out why mine wasn't working, I had the EVAL-Company in the host::* section, but had the REPORT-Company in the sourcetype stanza and I read that precedence is host first, so my Company field did not exist when it tried to make the substitutions. Fixed that and it worked.</P> <P>Thanks for all the comments.</P> Fri, 08 Nov 2013 06:02:22 GMT bowesmana 2013-11-08T06:02:22Z https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132241#M36052 <P>I have data like</P> <P>whrchan-ros,FirstName,LastName,End User,Activated,Major Account,Group,Direct sales</P> <P>I want to create a Company field at search time, which is the 3 character suffix. I have a field transform, which is</P> <PRE><CODE>.*-(?&lt;Company&gt;[a-z]*$) </CODE></PRE> <P>but I also want to convert any suffixes that are ros, to be rhk, so I have an eval calculated field of</P> <PRE><CODE>Company=if(Company="ros","rhk",Company) </CODE></PRE> <P>If I use eval in the search command it works, but it's not working via the calculated field definition, so I guess it's an order issue.</P> <P>How can I make that substitution after the Company has first been extracted.</P> Thu, 07 Nov 2013 09:33:52 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132241#M36052 bowesmana 2013-11-07T09:33:52Z https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132242#M36053 <P>Calculated fields happen <STRONG>after</STRONG> field extractions (EXTRACT-aaa, REPORT-aaa). In your props.conf file enter the following and check again:</P> <P><CODE>[my_sourcetype]<BR /> EXTRACT-company = .*-(?&lt;Company&gt;[a-z]*$)<BR /> EVAL-Company = if(Company="ros","rhk",Company)</CODE></P> Thu, 07 Nov 2013 14:33:05 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132242#M36053 _d_ 2013-11-07T14:33:05Z https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132243#M36054 <P>Ensure that field name is same in both the stanza.</P> Thu, 07 Nov 2013 19:00:58 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132243#M36054 somesoni2 2013-11-07T19:00:58Z https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132244#M36055 <P>No, in EXTRACT-xxx, the <CODE>xxx</CODE> can be anything as long as it's unique within a stanza. In EVAL-xxx, the <CODE>xxx</CODE> <STRONG>must</STRONG> be the field name.</P> Thu, 07 Nov 2013 19:04:42 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132244#M36055 _d_ 2013-11-07T19:04:42Z https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132245#M36056 <P>I worked out why mine wasn't working, I had the EVAL-Company in the host::* section, but had the REPORT-Company in the sourcetype stanza and I read that precedence is host first, so my Company field did not exist when it tried to make the substitutions. Fixed that and it worked.</P> <P>Thanks for all the comments.</P> Fri, 08 Nov 2013 06:02:22 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132245#M36056 bowesmana 2013-11-08T06:02:22Z https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132246#M36057 <P>Splunk now documents this very well. I highly recommend the <A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Searchtimeoperationssequence">The sequence of search-time operations</A> page.</P> Tue, 25 Oct 2016 17:30:02 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-order-of-search-time-field-extraction/m-p/132246#M36057 Lowell 2016-10-25T17:30:02Z