topic Re: How to write a Calculated field by extracting a value from an existing field using REGEX in Splunk Search

How to write a Calculated field by extracting a value from an existing field using REGEX

apvinod2003 — Tue, 29 Sep 2020 09:13:26 GMT

Hi Experts,

I'd want to create a calculated field called domainName from the SourcePath field.
SourcePath field has this value: "/org/app/comp_domain123_port_host"

I need to extract the "domain123" string from the above field and store it in domainName calculated field
I had to probably write an eval expression since I had to store this field under "calculated fields" settings in Splunk.
But with eval, we cannot use rex I suppose, so how do I achieve this? Read some examples that we can use mvfilter along with a match function, but it didn't seem to work.

Any help would be appreciated 🙂

Regards,
Vinod

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

javiergn — Tue, 29 Mar 2016 19:23:04 GMT

You can use rex:

| yoursearch
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

For example, the following:

| stats count
| eval SourcePath = "/org/app/comp_domain123_port_host"
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

Will create a new field called domainName with value domain123

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

ddrillic — Tue, 29 Mar 2016 19:28:44 GMT

Vinod, you can do it in the calculated fields settings by specifying the new field name in Name and the eval expression in the Eval expression field. I just tried it by placing replace(adjd_dt,"-","") there and it worked just fine.

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

ddrillic — Tue, 29 Mar 2016 19:36:31 GMT

But you are right Vinod, rex is a bit problematic in this case...

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

jedatt01 — Tue, 29 Mar 2016 19:41:18 GMT

To my knowedge you cannot do this with an eval. I know this is not as convenient as a calculated field, but have you considered writing a rex command like the below and save it as a macro? That way you can invoke the extraction very quickly when needed.

mysearch | rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

jsie_splunk — Tue, 29 Mar 2016 19:44:51 GMT

Any particular reason you need to this with a calculated field versus a field extraction? If you're open to the field extraction, then jedatt01's solution can be leveraged under Settings -> Field Extractions. You can set it as inline, which will end up being an EXTRACT in props.conf.

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

somesoni2 — Tue, 29 Mar 2016 22:49:20 GMT

Combining rex from @javiergn and replace function from @ddrillic, use this as your calculated field definition (if updating using props.conf) OR just copy the part after EVAL-
props.conf

[yoursourcetype]
EVAL-domain=replace(SourcePath,"^\/[^\/]+\/[^\/]+\/[^_]+_([^_]+)","\1")

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

apvinod2003 — Wed, 30 Mar 2016 14:29:41 GMT

Thanks all for your answers; didn't expect so many answers in a short span 🙂
I now realize that Field Extraction would be a better choice, given that I actually need to be able to search on that extracted field (Calculated field is more for projecting the result I guess, I may be wrong).
I had created an extracted field called "domainName" through "settings -> Fields -> Extracted Fields" as below:

rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"

I had enabled read permissions for "search" app. But I'm not able to search on this domainName
when I search with host=host123 domainName=domain123 , I don't get any results.

Search with host=host123 SourcePath = "/org/app/comp_domain123_port_host" returns results though.

Any clues ?

Another query: I don't find the "portName" extracted field in Selected fields, or interested fields or all fields sections. Is any configuration required to make them appear there?