Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to save an eval urldecode as a field in Splunk 6.3.3?

rewritex
Contributor
‎04-25-2016 03:30 PM

I am trying to save this search below as a field for my user to be able to see on their "selected fields" during their new search and be able to click on it to see the pre-created reports.

I've read the Splunk Answers post about "Save an 'eval'-based field extraction" which points me to setting up a macro.... I would like to know if this is the best route or is there different advice for handling this.... maybe reworking my thinking all together.

Search string

index=test1 | transaction session_id | eval user_agent_string_decoded=urldecode(user_agent_string_encoded)

1)The logged event:

Mozilla%2f4.0%20(compatible%3b%20MSIE%207.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f7.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0%3b%20.NET4.0E%3b%20InfoPath.3%3b%20.NET4.0C).

2) I capture this into the field user_agent_string_encoded)
3) I decode it using the above search string

Thank You,
Sean

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎04-25-2016 08:56 PM

Setting up a macro is fine if you dont need to do the decoding every time you search. You can use the macro as needed.

If you wanted this decoding to happen automatically every time someone searches that sourcetype you can add this to your props.conf on your search head. You should be able to apply the setting with out restartng by loading the debug/refresh endpoint on your search head
your-splunk-server.net:8000/en-US/debug/refresh

[theSourceType]
EVAL-user_agent_string_decoded = urldecode(user_agent_string_encoded)

http://docs.splunk.com/Documentation/Splunk/6.0.6/Knowledge/definecalcfields

View solution in original post

Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎04-25-2016 08:56 PM

Setting up a macro is fine if you dont need to do the decoding every time you search. You can use the macro as needed.

If you wanted this decoding to happen automatically every time someone searches that sourcetype you can add this to your props.conf on your search head. You should be able to apply the setting with out restartng by loading the debug/refresh endpoint on your search head
your-splunk-server.net:8000/en-US/debug/refresh

[theSourceType]
EVAL-user_agent_string_decoded = urldecode(user_agent_string_encoded)

http://docs.splunk.com/Documentation/Splunk/6.0.6/Knowledge/definecalcfields

Reply
Solved! Jump to solution

rewritex
Contributor
‎04-27-2016 11:35 AM

I was working to this direction right after I asked the question. Your comment helped me validate my direction.
Thank You!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...