This works in the search bar |makemv delim="|"
, but not when I put that in the props.conf file.
This sounds like a use case for fields.conf.
[myfield]
TOKENIZER = ([^\|]+)\|?
Figured out why it isn't working. The props.conf documentation states:
"Splunk processes calculated fields after field extraction and field
aliasing but before lookups. This means that:
You can use a field alias in the eval statement for a calculated
field.
You cannot use a field added through a lookup in an eval statement for a
calculated field."
Had to create fields.conf. Details in accepted answer below.
Figured out why it isn't working. The props.conf documentation states:
"Splunk processes calculated fields after field extraction and field
aliasing but before lookups. This means that:
* You can use a field alias in the eval statement for a calculated
field.
* You cannot use a field added through a lookup in an eval statement for a
calculated field."
and my input within my EVAL command was set by a lookup. So thats the reason it doesn't work 😕
This sounds like a use case for fields.conf.
[myfield]
TOKENIZER = ([^\|]+)\|?
it worked. Thanks! I created the fields.conf and hex works as well.
[myfield]
TOKENIZER = ([^\x7c]+)
Glad it worked! You can also use a tokenizer in |makemv to test before putting the configs in place.
Try setting up calculated field with split command.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/definecalcfields
e.g.
props.conf
[yoursourcetype]
EVAL-YourFieldName = split(YourFieldName,"|")
I followed the syntax and it didn't work but does work in the search bar but i guess the .conf syntax is wrong?
Did you restart Splunk after you added this in props.conf? Did you create a local.meta entry for this? May be try adding this from Settings->Fields -> Calculated fields.
Yes I restarted splunk after adding it to the props.conf and it still didn't work. I am not sure what the local.meta entry would be or used?
different variations I have tried:
EVAL-YourFieldName = split(YourFieldName,"|")
EVAL-YourFieldName YourFieldName = split(YourFieldName,"|")
EVAL-YourFieldName = YourFieldName = split(YourFieldName,"|")
Maybe an extra set of qoutes may do it
Can you try creating this from Splunk Web UI? (Settings->Fields ->Calculated fields)
I hope you're creating these props.conf on the Search Head server.
Only the validation 1 is valid.
yes as the props.conf has other stanzas which work fine.... just want to add the eval split command. And the UI didn't work either... there has to be some documentation on the syntax used in .conf files for calculated commands.
The syntax is available in the link that I provided (and also in the props.conf specification). Did you get any error while creating it from UI OR it just didn't work? After you created from UI, there should be props.conf entry created for that calculated field, could you provide that here? (check props.conf on the local folder under current app context).
it is.... EVAL- = split(,"|") is the entry in the props.conf file after I created it in from the UI and didn't work.... I also have field alias and lookups in the props.conf file