Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use Eval recursively?

Ismail_BSA
Path Finder
‎05-15-2024 09:36 AM

Hi,

We are using Splunk Cloud, so we can't access the conf files.

In one of our custom source types, we need to create multiple new fields. Those fields are calculated recursevaly meaning Eval2 calls result of Eval1, then Eval3 calls results of Eval 2....

Here are some examples of our Eval fields

EVAL-url_primaire_apache=if(match(url, "/"), mvindex(split(url, "/"), 0), url) ```if there is a (/) caracter, we only keep the first part before the first (/), if not, we use the full url field```

EVAL-url_primaire_apache_sans_ports=if(match(url_primaire_apache, ":"), mvindex(split(url_primaire_apache, ":"), 0), url_primaire_apache) ```We use the result from the previous Eval to extract only the first part before ":" or the full previous result```

Now the issue is that only the first field is generated. I think that might be fine since Evals are done in parallel.

I tried to create an alias on the result of the first Eval and then call it in the second Eval like this:

FIELDALIAS-url_primaire_apache_alias1=url_primaire_apache AS url_p_a

EVAL-url_primaire_apache_sans_ports=if(match(url_p_a, ":"), mvindex(split(url_p_a, ":"), 0), url_p_a)

Ismail_BSA_1-1715790800924.png

 

However, this still doesn't work since only the first Eval field is created. Neither the alias nor the second Eval are created.

What am I missing? How can we create Eval fields recursively?

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-16-2024 01:12 PM

Hi

there is order which defines how those are extracted, aliased etc. You can see it e.g. here https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowledge/Searchtimeoperationssequence. Based on that you see that in extract phase you cannot use aliases as those are applied after all extractions have done.

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2024 10:22 PM

Hi @Ismail_BSA,

did you tried to use the evals in the requested sequence directly in a search? it should run.

Then you could put these evals in a macro and call the macro all the times you need it.

Ciao.

Giuseppe

 

0 Karma
Reply

Ismail_BSA
Path Finder
‎05-16-2024 07:24 AM

Hi @gcusello 

 

Thank you for your reply.

 

That's exactly what we are doing now for searches. However, we were wondering if these fields could be directly calculated in the sourcetype. The final goal is to have those new fields in a data model and later call them in the correlation seraches and notable events.

Regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-16-2024 07:35 AM

Hi @Ismail_BSA,

ok, you could use the first eval (in one calculated field) to have the first field "url_primaire_apache" and then  nest the first in the second to calculate the second field "url_primaire_apache_sans_ports", something like this:

EVAL-url_primaire_apache_sans_ports=if(match(if(match(url, "/"), mvindex(split(url, "/"), 0), url), ":"), mvindex(split(url_primaire_apache, ":"), 0), url_primaire_apache) ```

Please adapt my approach to your evals.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...