https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217147#M63767 <PRE><CODE>Error in 'SearchParser': The name 'http.hostname' is invalid. Macro and argument names may only include alphanumerics, '_' and '-'. </CODE></PRE> Wed, 22 Jun 2016 20:41:25 GMT JSkier 2016-06-22T20:41:25Z https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217144#M63764 <P>I'd like to sanitize host names during search time in Splunk (IDS alerts), so users don't receive a hyperlink to the bad sites and the alerts don't get snagged by the mail filter. I'd like to keep the inline table results of the alerts for mobile users and general convenience. </P> <P>For example, <A href="http://www.badsite.com">www.badsite.com</A> is automatically hyperlinked in e-mail clients, so I'd like to prepend hxxp:// to the field so the sent alert message doesn't get hyperlink or dropped. By specifying a bogus protocol both fat mail client and mail scanner will pass the inline table without issue. </P> <P>I found something about appending in the community, but that just shows a blank field during search for me (even when I assign httphostname without a period). </P> <PRE><CODE>eval http.hostname=http.hostname."hxxp://" | </CODE></PRE> <P>In theory, I'd like this to prepend and actually work:</P> <PRE><CODE>eval http.hostname="hxxp://".http.hostname | </CODE></PRE> <P>I'm using Splunk 6.3.2 in a clustered Linux environment, any help is appreciated.</P> Wed, 22 Jun 2016 20:25:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217144#M63764 JSkier 2016-06-22T20:25:13Z https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217145#M63765 <P>Try putting your field name with single quotes. Like this</P> <PRE><CODE>| eval http.hostname="hxxp://".`http.hostname` </CODE></PRE> Wed, 22 Jun 2016 20:37:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217145#M63765 sundareshr 2016-06-22T20:37:54Z https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217146#M63766 <P>Assuming that you have a field called <CODE>http.hostname</CODE> then like this:</P> <PRE><CODE>... | eval "http.hostname" = "hxxp://" . $http.hostname$ </CODE></PRE> <P>Or possibly this:</P> <PRE><CODE>... | rex field="http.hostname" mode=sed "s/^http:/hxxp:/" </CODE></PRE> Wed, 22 Jun 2016 20:38:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217146#M63766 woodcock 2016-06-22T20:38:46Z https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217147#M63767 <PRE><CODE>Error in 'SearchParser': The name 'http.hostname' is invalid. Macro and argument names may only include alphanumerics, '_' and '-'. </CODE></PRE> Wed, 22 Jun 2016 20:41:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217147#M63767 JSkier 2016-06-22T20:41:25Z https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217148#M63768 <P>This worked perfectly, thanks!<BR /> ... | eval "http.hostname" = "hxxp://" . $http.hostname$</P> Wed, 22 Jun 2016 20:43:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prepend-a-value-to-a-field-at-search-time-to-sanitize/m-p/217148#M63768 JSkier 2016-06-22T20:43:34Z