Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use Eval recursively?

Ismail_BSA
Path Finder
‎05-15-2024 09:36 AM

Hi,

We are using Splunk Cloud, so we can't access the conf files.

In one of our custom source types, we need to create multiple new fields. Those fields are calculated recursevaly meaning Eval2 calls result of Eval1, then Eval3 calls results of Eval 2....

Here are some examples of our Eval fields

EVAL-url_primaire_apache=if(match(url, "/"), mvindex(split(url, "/"), 0), url) ```if there is a (/) caracter, we only keep the first part before the first (/), if not, we use the full url field```

EVAL-url_primaire_apache_sans_ports=if(match(url_primaire_apache, ":"), mvindex(split(url_primaire_apache, ":"), 0), url_primaire_apache) ```We use the result from the previous Eval to extract only the first part before ":" or the full previous result```

Now the issue is that only the first field is generated. I think that might be fine since Evals are done in parallel.

I tried to create an alias on the result of the first Eval and then call it in the second Eval like this:

FIELDALIAS-url_primaire_apache_alias1=url_primaire_apache AS url_p_a

EVAL-url_primaire_apache_sans_ports=if(match(url_p_a, ":"), mvindex(split(url_p_a, ":"), 0), url_p_a)

Ismail_BSA_1-1715790800924.png

 

However, this still doesn't work since only the first Eval field is created. Neither the alias nor the second Eval are created.

What am I missing? How can we create Eval fields recursively?

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-16-2024 01:12 PM

Hi

there is order which defines how those are extracted, aliased etc. You can see it e.g. here https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowledge/Searchtimeoperationssequence. Based on that you see that in extract phase you cannot use aliases as those are applied after all extractions have done.

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2024 10:22 PM

Hi @Ismail_BSA,

did you tried to use the evals in the requested sequence directly in a search? it should run.

Then you could put these evals in a macro and call the macro all the times you need it.

Ciao.

Giuseppe

 

0 Karma
Reply

Ismail_BSA
Path Finder
‎05-16-2024 07:24 AM

Hi @gcusello 

 

Thank you for your reply.

 

That's exactly what we are doing now for searches. However, we were wondering if these fields could be directly calculated in the sourcetype. The final goal is to have those new fields in a data model and later call them in the correlation seraches and notable events.

Regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-16-2024 07:35 AM

Hi @Ismail_BSA,

ok, you could use the first eval (in one calculated field) to have the first field "url_primaire_apache" and then  nest the first in the second to calculate the second field "url_primaire_apache_sans_ports", something like this:

EVAL-url_primaire_apache_sans_ports=if(match(if(match(url, "/"), mvindex(split(url, "/"), 0), url), ":"), mvindex(split(url_primaire_apache, ":"), 0), url_primaire_apache) ```

Please adapt my approach to your evals.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...