Re: Conditional Formatting of values with eval if ...

erikschubert · ‎02-03-2023

Hello everyone,

I have the following field and example value: sourcePort=514.000

I'd like to format these fields in such a way, that only the first digits until the point are kept. Furthermore, this should only apply to a certain group of events (group one).
Basically:
before: sourcePort=514.000
after: sourcePort=514

What I have until now:
search...
| eval sourcePort=if(group=one, regex part, sourcePort)

The regex to match only the digits is ^\d{1,5}
However, I am unsure how to work with the regex and if it is even possible to achieve my goal using this.

Thanks in advance

tpickle · ‎11-21-2023

I would use split and mvindex instead of rex:

| eval sourcePort=if(group=one,mvindex(split(sourcePort,"."),0),sourcePort)

diogofgm · ‎02-03-2023

You can use | rex to achieve that:

|rex field=sourcePort "(?<src_port>\d{1,5})"
|eval sourcePort=if(group=one,src_port,sourcePort)

------------
Hope I was able to help you. If so, some karma would be appreciated.

ITWhisperer · ‎02-03-2023

You can use the replace function (which supports regex)

| eval sourcePort=if(group=one,replace(sourcePort,"(?<p>\d{1,5})\.(?<q>.*)","\1"),sourcePort)

How to achieve conditional formatting of values with eval if and regex?

eval

fields

regex

rex

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?