Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the execution order for EXTRACT, REPORT, EVAL, LOOKUP and ALIAS in props.conf?

olivier_jpmc
Engager
‎05-28-2015 03:45 AM

Hello all,

Anyone would have an idea of the execution order of EXTRACT, REPORT, EVAL, LOOKUP and ALIAS in the props.conf?

I understand that REPORT-policy_date will be executed before REPORT-policy_name because of the ASCII order of the class, but how about:

  • EXTRACT-aa
  • REPORT-bb
  • EVAL-aa
  • LOOKUP-bb
  • ALIAS-aa

I have an ALIAS for instance that depends on a field extracted in a REPORT but it doesn't seem to work.

Regards,
Olivier

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-28-2015 09:05 AM

From this:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addaliasestofields

We see this:
Important: Field aliasing is performed after key/value extraction but before field lookups. Therefore, you can specify a lookup table based on a field alias. This can be helpful if there are one or more fields in the lookup table that are identical to fields in your data, but have been named differently. For more information read "Configure CSV and external lookups" and "Configure KV store lookups" in this manual.

This implies that it happens before search-time extractions (REPORT-) so you would be best off changing your REPORT- to EXTRACT or you could perform a second REPORT- like this:

[MyFieldAlias]
SOURCE_KEY=MyField
REGEX=^(?<MyFieldAlias>.*)$

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎10-06-2016 06:11 PM

Thanks to Matt Ness on the docs team for pointing out this link. This is pure gold!

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-28-2015 09:05 AM

From this:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addaliasestofields

We see this:
Important: Field aliasing is performed after key/value extraction but before field lookups. Therefore, you can specify a lookup table based on a field alias. This can be helpful if there are one or more fields in the lookup table that are identical to fields in your data, but have been named differently. For more information read "Configure CSV and external lookups" and "Configure KV store lookups" in this manual.

This implies that it happens before search-time extractions (REPORT-) so you would be best off changing your REPORT- to EXTRACT or you could perform a second REPORT- like this:

[MyFieldAlias]
SOURCE_KEY=MyField
REGEX=^(?<MyFieldAlias>.*)$
Reply
Solved! Jump to solution

olivier_jpmc
Engager
‎05-29-2015 04:55 AM

Hello, thank you very much for your help. And nice finding.

I received this order of execution as well from a Splunk person, that confirms what you said:
• REPORT/EXTRACT
• FIELDALIAS
• EVAL
• LOOKUP

Thank you very much again.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...