Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

EVAL with field extracted from props.conf

johnmvang
Path Finder
‎06-02-2017 01:53 PM

Hello Everyone,

I'm having an issue where I cannot use EVAL in search or in the props.conf for a field that has been previously generated from the props.conf file.

Context:
I have a file like this

Heading_Line-0
D3012010900ABC803M R00011122 00000000000000012340000020621 CHK

D3012010900ABC803M R00112233 00000000000000001230000001435 CHK

D3012010900ABC809K R33222110 00000000000000043210000000100 CHK

D3012010900ABC807T R22200111 00000000000000054320000035663 CHK

I have already (successfully) extracted with the props.conf/transforms.conf a multi-value field called "check_amount" from the last 10 digits in the big set of numbers starting with all zeros

my props.conf reads:

[checks_source]
REPORT-mvfields = my_check_amount

my transforms.conf reads:

[my_check_amount]
REGEX = (?m)^\w+\s+\w+\s+\w{19}(?\d{10})
MV_ADD = true

0000000000000001234 0000020621
0000000000000000123 0000001435
0000000000000004321 0000000100
0000000000000005432 0000035663

Now when i run my search:

sourcetype=checks_source | eval check_amount = round(check_amount / 100, 2)

The check_amount field disappears. But I need to get a decimal point inbetween the last 2 digits and get rid of all the preceding zeroes.

my desired finished result would be to get the dollar amount in human readable format:

0000020621 = 206.21
0000001435 = 14.35
0000000100 = 1.00
0000035663 = 356.63

Any help is greatly appreciated.

Thanks,

John

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnmvang
Path Finder
‎06-02-2017 03:04 PM

Micahkemp answered this question. However he posted a comment, so i could not mark it, so i'm just adding the details and marking it as answered.

With my dilemma use MVEXPAND:

| mvexpand check_amount |eval fixed_value = round(check_amount / 100, 2)

or index the data as separate lines and then use the |EVAL in a search or in the props to have the work performed automatically.

Thanks,

John

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

johnmvang
Path Finder
‎06-02-2017 03:04 PM

Micahkemp answered this question. However he posted a comment, so i could not mark it, so i'm just adding the details and marking it as answered.

With my dilemma use MVEXPAND:

| mvexpand check_amount |eval fixed_value = round(check_amount / 100, 2)

or index the data as separate lines and then use the |EVAL in a search or in the props to have the work performed automatically.

Thanks,

John

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-03-2017 09:38 AM

Be sure to upvote his comments.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎06-02-2017 02:24 PM

Is there any reason not to split those into multiple events? If not, you could do:

| mvexpand check_amount |eval fixed_value = round(check_amount / 100, 2)

Which would result in one event per check.

Edit: converted from comment to answer.

0 Karma
Reply
Solved! Jump to solution

johnmvang
Path Finder
‎06-02-2017 02:30 PM

Should i remove my existing props/transforms that is already doing the multi-value extraction prior to using mvexpand?

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎06-02-2017 02:32 PM

No, you need the values to be extracted before using mvexpand.

However, you might want to reconsider how your data is indexed, if it makes more sense for each line to be a separate event (which from an outsider point of view makes the most sense to me).

Reply
Solved! Jump to solution

johnmvang
Path Finder
‎06-02-2017 03:01 PM

I might be be able to do just that. I know indexing this file and breaking the file at each line will make life easier, I just had other data in the heading of the file that may be needed... I don't know yet.

Thanks man. I'll mark this as answered.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎06-02-2017 01:59 PM

Do you still have this issue if you run the search in verbose mode, or changing the name of the field resulting from eval?

0 Karma
Reply
Solved! Jump to solution

johnmvang
Path Finder
‎06-02-2017 02:08 PM

I still have this issue in verbose mode or if i change the field name with EVAL.

If i did "|eval fixed_value = round(check_amount / 100, 2)" the "fixed_value" field never shows up.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎06-02-2017 02:14 PM

And you see the check_amount field populated using that last search?

0 Karma
Reply
Solved! Jump to solution

johnmvang
Path Finder
‎06-02-2017 02:16 PM

yes, the check_amount field is still populated with the old set of values 0000020621 and etc. but the new fixed_value field is not there and i have no modified values: 206.21, etc.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎06-02-2017 02:18 PM

Is check_amount a multi-value field, as indicated by MV_ADD=true? I think that may break your eval.

Reply
Solved! Jump to solution

johnmvang
Path Finder
‎06-02-2017 02:21 PM

Yes that is a multi-value field and I believe this is the problem. However, i'm looking for a solution to see if there is any way around it to get the desired results.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...