topic Re: How to use eval to change a field's value? in Splunk Search

How to use eval to change a field's value?

guillecasco — Wed, 18 May 2016 12:44:30 GMT

Is it possible with EVAL do the following? I have a field named version which brings the value like this:

Version
60101228
50201315

but I would like to change it for the following (and maintain the original)

Version
" 60101228 or 6.1.1228"
"50201315 or 5.2.1315"

Where a 0 (zero) is replaced for a dot (.). I need this because later I will need both values in a dynamic drop-down search in which values can appear in both ways.

Can eval do this? Maybe other function? thanks!

Re: How to use eval to change a field's value?

jmallorquin — Wed, 18 May 2016 13:49:56 GMT

Hi,

Yes but with rex

|rex field=Version "(?<1>.)(?<2>.)(?<3>....)
| eval Version = 1.".".2.".".3

Hope i help you

Re: How to use eval to change a field's value?

somesoni2 — Wed, 18 May 2016 14:09:25 GMT

Try something like this.

| gentimes start=-1 | eval Version="60101228 50201315" | makemv Version | mvexpand Version | table Version 
| eval Version1=replace(Version,"^(\d)(\d{2})(\d{2})(\d+)","\1\2\3\4 OR \1.\2.\3.\4")  
| eval Version2=replace(Version1,"(\d+)\sOR\s(\d)\.0*([^\.]+)\.0*([^\.]+)\.([^\.]+)","\1 OR \2.\3.\4.\5")

Line 1 is just to generate sample data, replace it with your search
Line two gives a conversion (with leading 0s). If that works you can use just the line 2. If not, use both line 2 and line 3.

Re: How to use eval to change a field's value?

guillecasco — Wed, 18 May 2016 14:49:47 GMT

maybe I wasn't quite clear. This is the search and results.

index=* usearch |rex "\"version\": \"(?\w*)\"" |dedup Version |table Version

Version
60201327
60201528
60201827
60201429
50201219
50201413

now i would like to replace those value for :
Version
60201327 OR 6.2.1327
60201528 OR 6.2.1528

Re: How to use eval to change a field's value?

sundareshr — Wed, 18 May 2016 16:18:13 GMT

Try this

index=* usearch | rex "\"version\": \"(?\w*)\"" | dedup Version | eval version = replace(version,"0",".") | table Version

Re: How to use eval to change a field's value?

jkat54 — Wed, 18 May 2016 16:34:39 GMT

It's exactly what he gave but slightly modified:

 index=* usearch |rex "\"version\": \"(?\w*)\"" |dedup Version
| eval Version1=replace(Version,"^(\d)(\d{2})(\d{2})(\d+)","\1\2\3\4 OR \1.\2.\3.\4")  
| eval Version=replace(Version1,"(\d+)\sOR\s(\d)\.0*([^\.]+)\.0*([^\.]+)\.([^\.]+)","\1 OR \2.\3.\4.\5")
| table Version

Re: How to use eval to change a field's value?

jkat54 — Wed, 18 May 2016 16:38:57 GMT

index=* usearch 
|rex "\"version\": \"(?\w*)\"" 
|dedup Version
|rex field=Version mode=sed "s/(\d)(\d{2})(\d{2})(\d{3})/\1.\2.\3.\4/g" 
|eval Version=replace(Version,"0","") 
|table Version

Re: How to use eval to change a field's value?

jkat54 — Wed, 18 May 2016 16:42:42 GMT

index=* usearch
|rex "\"version\": \"(?<major>\d)(?<minor1>\d{2})(?<minor2>\d{2})(<minor3>\d{3})\""  
|eval Version=major.".".minor1.".".minor2.".".minor3 
|eval Version=replace(Version,"0","")
|table Version

Re: How to use eval to change a field's value?

guillecasco — Wed, 18 May 2016 17:05:27 GMT

yes but how can i do it without the 0 in the second part? i have it like this:

Version
30201425 OR 3.02.01.425
30201424 OR 3.02.01.424

just need the 3.2.1.425

Re: How to use eval to change a field's value?

guillecasco — Wed, 18 May 2016 18:12:46 GMT

sorry i missunderstood, it´s working now, thanks!

Re: How to use eval to change a field's value?

guillecasco — Wed, 18 May 2016 19:43:55 GMT

how about the other way round?

version
1.2.3

version
1.2.3 or 10203

Re: How to use eval to change a field's value?

sundareshr — Wed, 18 May 2016 21:16:29 GMT

If you want both formats, try this

| eval version=version." OR ".replace(version, "\.", "0")

Re: How to use eval to change a field's value?

nawazns5038 — Tue, 20 Dec 2016 23:30:18 GMT

Regex: group name must start with a non-digit...

Re: How to use eval to change a field's value?

nawazns5038 — Tue, 29 Sep 2020 12:09:13 GMT

eval version2=replace(version,"0",".") | eval new_version= version+" or "+ version2 | rename new_version AS version.

This avoids confusion between field names .

Re: How to use eval to change a field's value?

robertlynch2020 — Thu, 13 Apr 2017 14:52:54 GMT

is there anyway to replace all non alphanumeric with a value?

Re: How to use eval to change a field's value?

somesoni2 — Thu, 13 Apr 2017 15:01:56 GMT

What is your use-case? Can you provide some sample of current and expected values?

Re: How to use eval to change a field's value?

jkat54 — Thu, 13 Apr 2017 15:35:38 GMT

Use this regex for the match

Only it will match underscore too.

Re: How to use eval to change a field's value?

robertlynch2020 — Thu, 13 Apr 2017 16:46:37 GMT

Thanks for your help

In Datamodels, i am trying to change the data i am reading in to have only alphanumeric

What i have
peter hi
ex⁢
field=1;like&
name
john

What i want
peterhi
exit
field1like
name
john

so i have been trying the following and it working for one, but i want one command for all non alphanumeric.
replace(Context,";","")
replace(Context,"=","")
replace(Context," ","")
replace(Context,"&","")

Re: How to use eval to change a field's value?

jkat54 — Thu, 13 Apr 2017 17:20:26 GMT

Just use \W instead of each non-alphanumeric character you're currently using.

replace(Context,"\W","")

Re: How to use eval to change a field's value?

robertlynch2020 — Fri, 14 Apr 2017 11:26:06 GMT

This worked, thanks :).

However i have another issues where i am trying to do the same thing in props.conf
However i cant seem to get the REG to work

(?P<Elapsed>\w+)|

The idea is to change the Data at the initial point.

any help would be great 🙂

So the data is

20151029|12:31:00|MUREXFO   |     1 |SessionCreate                 |MXDIS..&PATCHER                  |   0.21s|   0.22s|100%|  -0.01s|   0% |                                      |1065.44Mb
20151029|12:31:00|MUREXFO   |     2 |RequestDocument3              |MXD~'##ISPATCHER                  |   0.01s|   0.03s|100%|  -0.02s|   0% |                                      |1065.65Mb
20151029|12:31:00|MUREXFO   |     3 |RequestDocument3              |MXDISP..??ATCHER                  |   0.01s|   0.01s|100%|   0.00s|   0% |

The code i have is

^(?:[^\|\n]*\|){5}(?P<Command>\w+)| *-*(?P<Elapsed2>\d+\.\d+)\w+\| *-*(?P<CPU>\d+\.\d+)s\| *-*(?P<CPU_PER>\d+)%\| *-*(?P<RDB_COM>\d+\.\d+)s\| *-*(?P<RDB_COM_PER>\d+)%\s+\|

The issues is i am only getting the first few characters, and i want all alpha-numeric the pipe |

So i have
MXDIS..&PATCHER
MXD~'##ISPATCHER
MXDISP..??ATCHER

I want
MXDISPATCHER
MXDISPATCHER
MXDISPATCHER