Solved: Why is eval in props.conf not performing in a part...

atulpatel · ‎06-19-2019

Below is my props.conf stanza please check I'm getting all fields except uid, even the url field which has similar extraction mechanism.

[my_sourcetype]
....
EVAL-message_id = mid
EVAL-url = substr(xurl, 0, 15)
EVAL-uid = substr(message_id, 0, 5)

VatsalJagani · ‎06-19-2019

Hello @atulpatel
Try this:

[my_sourcetype]
....
EVAL-message_id = mid
EVAL-url = substr(xurl, 0, 15)
EVAL-uid = substr(mid, 0, 5)

In your case it is not working because in props.conf all EVALs in a stanza execute parallel.

Hope this helps!!!

View solution in original post

VatsalJagani · ‎06-19-2019

Hello @atulpatel
Try this:

[my_sourcetype]
....
EVAL-message_id = mid
EVAL-url = substr(xurl, 0, 15)
EVAL-uid = substr(mid, 0, 5)

In your case it is not working because in props.conf all EVALs in a stanza execute parallel.

Hope this helps!!!

atulpatel · ‎06-20-2019

Yeah I got it.

FrankVl · ‎06-19-2019

Evals are not performed in any particular order. You cannot do an eval that depends on another eval.

You will need do EVAL-uid = substr(mid, 0, 5).

Or replace EVAL-message_id = mid by FIELDALIAS-mid_as_message_id = mid AS message_id. Field aliasing is performed after field extraction, but before calculated fields (EVAL-* statements), so you can use the message_id alias in your EVAL-uid.

atulpatel · ‎06-20-2019

I understand that all EVALs don't have any order.

Why is eval in props.conf not performing in a particular order?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!