Solved: Eval commands

HealyManTech · ‎04-11-2018

Does anyone know if you do a rex and create a new field could you use that field for the eval commands?

IE:
| rex field=_raw "ACTION:\s(?.*) RETURNCODE"
| eval desc = case (action = "100", "Successfully Deleted")
| table user host action desc

Anyone know??

prabhu77749 · ‎04-11-2018

yes we can... once you have extracted the field you can impose any function on top of that..

index=test_core source=abc ctx "1015" "SNB" "USA" | rex field=_raw "ctx+]=[(?P\d+)" | dedup ctxx
| eval desc = case (ctxx = "80000000", "Successfully Deleted")
| table sourcetype host ctxx desc

View solution in original post

prabhu77749 · ‎04-11-2018

yes we can... once you have extracted the field you can impose any function on top of that..

index=test_core source=abc ctx "1015" "SNB" "USA" | rex field=_raw "ctx+]=[(?P\d+)" | dedup ctxx
| eval desc = case (ctxx = "80000000", "Successfully Deleted")
| table sourcetype host ctxx desc

HealyManTech · ‎04-12-2018

That works.

somesoni2 · ‎04-11-2018

You definitely can. If the rex command is working correctly the field qould be created and be available to any subsequent command.

Eval commands

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment