topic Eval commands in Splunk Search

Eval commands

HealyManTech — Wed, 11 Apr 2018 19:35:33 GMT

Does anyone know if you do a rex and create a new field could you use that field for the eval commands?

IE:
| rex field=_raw "ACTION:\s(?.*) RETURNCODE"
| eval desc = case (action = "100", "Successfully Deleted")
| table user host action desc

Anyone know??

Re: Eval commands

somesoni2 — Wed, 11 Apr 2018 19:57:32 GMT

You definitely can. If the rex command is working correctly the field qould be created and be available to any subsequent command.

Re: Eval commands

prabhu77749 — Tue, 29 Sep 2020 19:00:50 GMT

yes we can... once you have extracted the field you can impose any function on top of that..

index=test_core source=abc ctx "1015" "SNB" "USA" | rex field=_raw "ctx+]=[(?P\d+)" | dedup ctxx
| eval desc = case (ctxx = "80000000", "Successfully Deleted")
| table sourcetype host ctxx desc

Re: Eval commands

HealyManTech — Thu, 12 Apr 2018 10:52:28 GMT

That works.