Can you provide a function which returns a string in an if statement? For example:
if(src=="-" OR src=="127.0.0.1", Computer, trim(Source_Workstation,"some string"))
, reads as:
if src = - or 127.0.0.1, return the value of the Computer field. Else, return as string value of trim, where some string has been removed.
When I run this eval, the first result performs as expected. However, the trim statement returns 1 or 0. In testing, this reports whether the trim
actually trimmed anything (1 for yes, 0 for no). If I pipe as separate command, then I get the expected results (e.g. eval src=trim(Source_Workstation,"some string"))
. However, I want this to be in a calculated field extraction and I can't seem to have multiple calculations running over the same field (makes sense). This is an attempt to remove the leading "::ffff:" from some Windows event logs.
I was able to solve by appending a dollar sign to the field name $somefield from the sub search e.g. [search * | table foo | return $foo]
I was able to solve by appending a dollar sign to the field name $somefield from the sub search e.g. [search * | table foo | return $foo]
You could try rex instead using mode=sed. Assuming the field you are working on is the Source_Workstation, that would be
... | rex mode=sed field=Source_Workstation "s/^::ffff://"
The rex string says to s
substitute whenever you see what's between the first two slashes ^::ffff:
(the carrot means at the start of that field) the values between the second two (which is empty).
I don't have test data that matches yours right now, so I'm guessing. You can try dropping off the ^
at the front if it doesn't work with it. Otherwise, if you can paste in a couple of the actual strings I can tweak it a bit if necessary.