Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use Eval recursively?

Ismail_BSA
Path Finder
‎05-15-2024 09:36 AM

Hi,

We are using Splunk Cloud, so we can't access the conf files.

In one of our custom source types, we need to create multiple new fields. Those fields are calculated recursevaly meaning Eval2 calls result of Eval1, then Eval3 calls results of Eval 2....

Here are some examples of our Eval fields

EVAL-url_primaire_apache=if(match(url, "/"), mvindex(split(url, "/"), 0), url) ```if there is a (/) caracter, we only keep the first part before the first (/), if not, we use the full url field```

EVAL-url_primaire_apache_sans_ports=if(match(url_primaire_apache, ":"), mvindex(split(url_primaire_apache, ":"), 0), url_primaire_apache) ```We use the result from the previous Eval to extract only the first part before ":" or the full previous result```

Now the issue is that only the first field is generated. I think that might be fine since Evals are done in parallel.

I tried to create an alias on the result of the first Eval and then call it in the second Eval like this:

FIELDALIAS-url_primaire_apache_alias1=url_primaire_apache AS url_p_a

EVAL-url_primaire_apache_sans_ports=if(match(url_p_a, ":"), mvindex(split(url_p_a, ":"), 0), url_p_a)

Ismail_BSA_1-1715790800924.png

 

However, this still doesn't work since only the first Eval field is created. Neither the alias nor the second Eval are created.

What am I missing? How can we create Eval fields recursively?

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-16-2024 01:12 PM

Hi

there is order which defines how those are extracted, aliased etc. You can see it e.g. here https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowledge/Searchtimeoperationssequence. Based on that you see that in extract phase you cannot use aliases as those are applied after all extractions have done.

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2024 10:22 PM

Hi @Ismail_BSA,

did you tried to use the evals in the requested sequence directly in a search? it should run.

Then you could put these evals in a macro and call the macro all the times you need it.

Ciao.

Giuseppe

 

0 Karma
Reply

Ismail_BSA
Path Finder
‎05-16-2024 07:24 AM

Hi @gcusello 

 

Thank you for your reply.

 

That's exactly what we are doing now for searches. However, we were wondering if these fields could be directly calculated in the sourcetype. The final goal is to have those new fields in a data model and later call them in the correlation seraches and notable events.

Regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-16-2024 07:35 AM

Hi @Ismail_BSA,

ok, you could use the first eval (in one calculated field) to have the first field "url_primaire_apache" and then  nest the first in the second to calculate the second field "url_primaire_apache_sans_ports", something like this:

EVAL-url_primaire_apache_sans_ports=if(match(if(match(url, "/"), mvindex(split(url, "/"), 0), url), ":"), mvindex(split(url_primaire_apache, ":"), 0), url_primaire_apache) ```

Please adapt my approach to your evals.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...