Getting Data In

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

Yepeza
Path Finder

This works in the search bar |makemv delim="|", but not when I put that in the props.conf file.

1 Solution

beatus
Communicator

This sounds like a use case for fields.conf.

[myfield]
TOKENIZER = ([^\|]+)\|?

View solution in original post

Yepeza
Path Finder

Figured out why it isn't working. The props.conf documentation states:

"Splunk processes calculated fields after field extraction and field
aliasing but before lookups. This means that:
You can use a field alias in the eval statement for a calculated
field.
You cannot use a field added through a lookup in an eval statement for a
calculated field."

Had to create fields.conf. Details in accepted answer below.

0 Karma

Yepeza
Path Finder

Figured out why it isn't working. The props.conf documentation states:

"Splunk processes calculated fields after field extraction and field
aliasing but before lookups. This means that:
* You can use a field alias in the eval statement for a calculated
field.
* You cannot use a field added through a lookup in an eval statement for a
calculated field."

and my input within my EVAL command was set by a lookup. So thats the reason it doesn't work 😕

beatus
Communicator

This sounds like a use case for fields.conf.

[myfield]
TOKENIZER = ([^\|]+)\|?

Yepeza
Path Finder

it worked. Thanks! I created the fields.conf and hex works as well.
[myfield]
TOKENIZER = ([^\x7c]+)

0 Karma

beatus
Communicator

Glad it worked! You can also use a tokenizer in |makemv to test before putting the configs in place.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try setting up calculated field with split command.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/definecalcfields

e.g.

props.conf

[yoursourcetype]
EVAL-YourFieldName = split(YourFieldName,"|")

Yepeza
Path Finder

I followed the syntax and it didn't work but does work in the search bar but i guess the .conf syntax is wrong?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Did you restart Splunk after you added this in props.conf? Did you create a local.meta entry for this? May be try adding this from Settings->Fields -> Calculated fields.

0 Karma

Yepeza
Path Finder

Yes I restarted splunk after adding it to the props.conf and it still didn't work. I am not sure what the local.meta entry would be or used?

different variations I have tried:
EVAL-YourFieldName = split(YourFieldName,"|")
EVAL-YourFieldName YourFieldName = split(YourFieldName,"|")
EVAL-YourFieldName = YourFieldName = split(YourFieldName,"|")

Maybe an extra set of qoutes may do it

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you try creating this from Splunk Web UI? (Settings->Fields ->Calculated fields)

I hope you're creating these props.conf on the Search Head server.
Only the validation 1 is valid.

0 Karma

Yepeza
Path Finder

yes as the props.conf has other stanzas which work fine.... just want to add the eval split command. And the UI didn't work either... there has to be some documentation on the syntax used in .conf files for calculated commands.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The syntax is available in the link that I provided (and also in the props.conf specification). Did you get any error while creating it from UI OR it just didn't work? After you created from UI, there should be props.conf entry created for that calculated field, could you provide that here? (check props.conf on the local folder under current app context).

0 Karma

Yepeza
Path Finder

it is.... EVAL- = split(,"|") is the entry in the props.conf file after I created it in from the UI and didn't work.... I also have field alias and lookups in the props.conf file

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...