Solved: Eval commands

HealyManTech · ‎04-11-2018

Does anyone know if you do a rex and create a new field could you use that field for the eval commands?

IE:
| rex field=_raw "ACTION:\s(?.*) RETURNCODE"
| eval desc = case (action = "100", "Successfully Deleted")
| table user host action desc

Anyone know??

prabhu77749 · ‎04-11-2018

yes we can... once you have extracted the field you can impose any function on top of that..

index=test_core source=abc ctx "1015" "SNB" "USA" | rex field=_raw "ctx+]=[(?P\d+)" | dedup ctxx
| eval desc = case (ctxx = "80000000", "Successfully Deleted")
| table sourcetype host ctxx desc

View solution in original post

prabhu77749 · ‎04-11-2018

yes we can... once you have extracted the field you can impose any function on top of that..

index=test_core source=abc ctx "1015" "SNB" "USA" | rex field=_raw "ctx+]=[(?P\d+)" | dedup ctxx
| eval desc = case (ctxx = "80000000", "Successfully Deleted")
| table sourcetype host ctxx desc

HealyManTech · ‎04-12-2018

That works.

somesoni2 · ‎04-11-2018

You definitely can. If the rex command is working correctly the field qould be created and be available to any subsequent command.

Eval commands

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation