There are several macros/functions available like md5() or len(). So I was wondering if it was possible to add a custom function - something like
"index=* sourcetype=whatever TERM(extract_host($url$))" where extract_host calls a Python function that takes the token as an input and returns a new string that replaces the function call in the search ,and after that, the search is executed.
Or something like
"eval host=extract_host($url$) | index=* sourcetype=whatever TERM(host)" ?
Thanks in advance.
<eval token="my_host">replace(replace($url$, "Prefix RegEx Here", null()), "Suffix RegEx Here", null())</eval>
Hey. Thanks for your answer. The replace part works when I try it in the search , but with "" instead of null().
But where do I have to put the line in the simple xml tree? I tried it in >/change> but it does not work. I then tried a statement in the change child and that worked. So could you or anyone provide a full example please?
I could not find anything helpful in the splunk documentation or website.
<eval token="my_host">replace(replace($url$, "(https:\/\/|http:\/\/)?", ""), "\/(.*)", "")</eval>