Try setting up calculated field with split command.
[yoursourcetype] EVAL-YourFieldName = split(YourFieldName,"|")
I followed the syntax and it didn't work but does work in the search bar but i guess the .conf syntax is wrong?
Did you restart Splunk after you added this in props.conf? Did you create a local.meta entry for this? May be try adding this from Settings->Fields -> Calculated fields.
Yes I restarted splunk after adding it to the props.conf and it still didn't work. I am not sure what the local.meta entry would be or used?
different variations I have tried:
EVAL-YourFieldName = split(YourFieldName,"|")
EVAL-YourFieldName YourFieldName = split(YourFieldName,"|")
EVAL-YourFieldName = YourFieldName = split(YourFieldName,"|")
Maybe an extra set of qoutes may do it
Can you try creating this from Splunk Web UI? (Settings->Fields ->Calculated fields)
I hope you're creating these props.conf on the Search Head server.
Only the validation 1 is valid.
yes as the props.conf has other stanzas which work fine.... just want to add the eval split command. And the UI didn't work either... there has to be some documentation on the syntax used in .conf files for calculated commands.
The syntax is available in the link that I provided (and also in the props.conf specification). Did you get any error while creating it from UI OR it just didn't work? After you created from UI, there should be props.conf entry created for that calculated field, could you provide that here? (check props.conf on the local folder under current app context).
it is.... EVAL- = split(,"|") is the entry in the props.conf file after I created it in from the UI and didn't work.... I also have field alias and lookups in the props.conf file
This sounds like a use case for fields.conf.
[myfield] TOKENIZER = ([^\|]+)\|?