Re: Conditional Formatting of values with eval if ...

erikschubert · ‎02-03-2023

Hello everyone,

I have the following field and example value: sourcePort=514.000

I'd like to format these fields in such a way, that only the first digits until the point are kept. Furthermore, this should only apply to a certain group of events (group one).
Basically:
before: sourcePort=514.000
after: sourcePort=514

What I have until now:
search...
| eval sourcePort=if(group=one, regex part, sourcePort)

The regex to match only the digits is ^\d{1,5}
However, I am unsure how to work with the regex and if it is even possible to achieve my goal using this.

Thanks in advance

tpickle · ‎11-21-2023

I would use split and mvindex instead of rex:

| eval sourcePort=if(group=one,mvindex(split(sourcePort,"."),0),sourcePort)

diogofgm · ‎02-03-2023

You can use | rex to achieve that:

|rex field=sourcePort "(?<src_port>\d{1,5})"
|eval sourcePort=if(group=one,src_port,sourcePort)

------------
Hope I was able to help you. If so, some karma would be appreciated.

ITWhisperer · ‎02-03-2023

You can use the replace function (which supports regex)

| eval sourcePort=if(group=one,replace(sourcePort,"(?<p>\d{1,5})\.(?<q>.*)","\1"),sourcePort)

How to achieve conditional formatting of values with eval if and regex?

eval

fields

regex

rex

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation