Solved: How to write Data Model mapping expressions in add...

kathychurch · ‎01-17-2019

I am building an add-on with the Splunk Add-On builder and want to map some of my data to CIM types.
The "FIELDALIAS" mapping type is very straightforward and works fine. But I can't find any examples or documentation for how to do an "EVAL" type of mapping for the more complicated cases. Anyone know the proper way to format these expressions?

Thank you for any help!

alt text

chli_splunk · ‎01-17-2019

Basically this is an interactive tool to let you call Splunk Eval functions. Please refer Splunk documents for details.
https://docs.splunk.com/Documentation/SplunkCloud/7.1.3/SearchReference/CommonEvalFunctions

View solution in original post

chli_splunk · ‎01-17-2019

Basically this is an interactive tool to let you call Splunk Eval functions. Please refer Splunk documents for details.
https://docs.splunk.com/Documentation/SplunkCloud/7.1.3/SearchReference/CommonEvalFunctions

kathychurch · ‎01-17-2019

OK, thank you.

I have 2 scenarios

I want to populate a static string. Is the best way to do this with an expression like this: printf("%s","Foo")
I want to break up one field (a URL) into several fields in the Web CIM (uri_path and uri_query). I wrote a regular expression for this purpose, is there any way to use it here?

How to write Data Model mapping expressions in add-on builder?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)