Splunk Search
Highlighted

Extracting calculated fields from an XML input doesn't work

Builder

I'm trying to extract some fields from an XML input. The sourcetype is set up correctly, and I get all kinds of extracted fields with long names such as objectdata.general.timestamp, objectdata.general.width{@unit} etc. My problem is this: calculated fields simply don't pick up the field names extracted from XML. For example, if I have an event looking like this:

<objectdata>
...
  <general>
  ...
    <width unit="inch">
      <value>17.3</value>
    </width>
    ...
  </general>
  ...
</objectdata>

In search, I see objectdata.general.width{@unit} as 'inch' and objectdata.general.width.value as 17.3. However, some of the objects have their width in 'mm', which, of course, needs to be divided by 25.4 to be converted to inches.

I wanted to calculate a new field and put this calculation in props.conf:

EVAL-objectWidth = objectdata.general.width.value / if(objectdata.general.width{@unit}=='mm',25.4,1)

but it doesn't work. No objectWidth field is created. I suspect it has something to do with the order of field extractions and evaluations in the pipeline. Is there a reasonable way to achieve what I want without putting the calculations into the search command each time?

0 Karma
Highlighted

Re: Extracting calculated fields from an XML input doesn't work

Influencer

It's likely due to the field names containing special characters. You could use a fieldalias to rename the fields, and then do the EVAL with the renamed fields, or you could try this:

EVAL-objectWidth = 'objectdata.general.width.value' /  (if('objectdata.general.width{@unit}'="mm",25.4,1))

FYI I have not tested the above EVAL expression

View solution in original post

Highlighted

Re: Extracting calculated fields from an XML input doesn't work

Influencer

Troubleshooting tip: Test the EVAL in search and get it to work there before putting it into props.conf 😉

0 Karma
Highlighted

Re: Extracting calculated fields from an XML input doesn't work

Builder

First of all, those single quotes around the names helped me in at least one other place - I had to distinguish between objectdata.timestamp and objectdata.general.timestamp, and EVAL-MyTimestamp='objectdata.general.timestamp' did solve this (I was not using single quotes previously).

However, the more complex eval with the if did not benefit enough from those - no field generated :(. And the eval does work from the search string! I tried both == and a single = as a comparison operator in props.conf to no avail. Search string accepts the C-style comparison (==) just fine.

Highlighted

Re: Extracting calculated fields from an XML input doesn't work

Builder

I also tried to use FIELDALIAS. The fields are aliased quite well, but the EVAL (working in search strings) is not working in props.conf :(.

0 Karma