topic Re: Eval Match function Issue in Splunk Search

Eval Match function Issue

vikasreddy — Tue, 29 Sep 2020 14:52:24 GMT

I need to extract the date from the file name,But the format of the data on different files are different for eg:D20171202 is one file format,other one is D171203. I am extracting the date using regex and using eval match function I am changing the date format it is working fine , but it is changing some files date only.

below is the code I used
index=xyz source=a
| rex field=oldsorcefile"._D(?\d{8})."
|eval FDate2=case(macth(FDate1,"20*")FDate1,match(FDate,"17*"),("20"+(FDate1)))
| table Fdate1,FDate2

Here is the Sample output...

FDATE1 FDATE2
17071318 2017071318
17071418 2017071418
20170714 20170714
20170712 20170712
17071216 17071216

it is working fine but some dates are not changing according to code. any help would be great full.
Thanks

Re: Eval Match function Issue

niketn — Fri, 14 Jul 2017 12:02:48 GMT

Based on your description Date can be 6 digits (YYMMDD) or 8 digits (YYYYMMDD). Which is followed by ._D in the filename.
I expect your existing logic to fail when you have two 20s or two 17s in the date like 20170220 or 170117 etc.

One of the ways would be to match ^20 and ^17 in your existing eval so that it finds the pattern only in the beginning of the string i.e. : | eval FDate2=case(match(FDate1,"^17","20".FDate1,FDate1)

Other option would be perform eval based on length of extracted date field and to prefix 20 to date if length of date field in file is 6 and not 8 (following is run anywhere search to test the same):

| makeresults
| eval oldsourcefile="blahblah._D20170118"
| rex field=oldsourcefile ".D(?<FDate1>\d{6,8})"
| eval FDate2=if(len(FDate1)==6,"20".FDate1,FDate1)

Re: Eval Match function Issue

DalJeanis — Fri, 14 Jul 2017 15:09:59 GMT

try this -

| makeresults 
| eval _raw = "D171228  other stuff D20170521  more stuff D180521" 
| rename COMMENT as "The above just makes test data for correcting the _raw"

| rename COMMENT as "This changes all 6-digit dates in the _raw starting with D17 through D19 to D2017 through D2019"
| rename COMMENT as "so the solution will not break for over two years"
| rex field=_raw mode=sed "s/\bD(1[7|8|9]\d{4})\b/D20\1/g"


| makeresults 
| eval mydate = "D171228 D20170521 D180521" 
| makemv mydate 
| mvexpand mydate
| rename COMMENT as "The above just makes test data for changing a specific already-extracted date field."

| rename COMMENT as "This changes all 6-digit dates in that field starting with D17 through D19 to D2017 through D2019"
| rename COMMENT as "so the solution will not break for over two years"
| rename COMMENT as "this will work on a multivalue field as well, to demo just remove the mvexpand command"
| rex field=mydate mode=sed "s/^D(1[7|8|9]\d{4})$/D20\1/g"

Re: Eval Match function Issue

vikasreddy — Fri, 14 Jul 2017 15:51:12 GMT

Ya, it worked Thank you Niketnilay.

Re: Eval Match function Issue

niketn — Sat, 15 Jul 2017 08:53:55 GMT

@vikasreddy, have you tried the option suggested by DalJeanis, it employs single rex command with sed to format field as per you need. I think that is a better option.

Re: Eval Match function Issue

vikasreddy — Sat, 15 Jul 2017 09:08:22 GMT

Thank you DalJeanis, For you quick reply. It was awesome the whole thing can be done with single line.

Re: Eval Match function Issue

vikasreddy — Sat, 15 Jul 2017 09:11:36 GMT

@Niketnilay,Ya it is working for me, I have tried your options it is working later, I have made some tweaks in my code suggested by DalJeanis.

Re: Eval Match function Issue

niketn — Sun, 16 Jul 2017 03:20:02 GMT

@vikasreddy, if DalJeanis' answer also helped, please upvote his comment. I have already done the same.