Solved: Re: How to use eval to change a field's value?

guillecasco · ‎05-18-2016

Is it possible with EVAL do the following? I have a field named version which brings the value like this:

Version
60101228
50201315

but I would like to change it for the following (and maintain the original)

Version
" 60101228 or 6.1.1228"
"50201315 or 5.2.1315"

Where a 0 (zero) is replaced for a dot (.). I need this because later I will need both values in a dynamic drop-down search in which values can appear in both ways.

Can eval do this? Maybe other function? thanks!

sundareshr · ‎05-18-2016

Try this

index=* usearch | rex "\"version\": \"(?\w*)\"" | dedup Version | eval version = replace(version,"0",".") | table Version

View solution in original post

nawazns5038 · ‎12-20-2016

eval version2=replace(version,"0",".") | eval new_version= version+" or "+ version2 | rename new_version AS version.

This avoids confusion between field names .

jkat54 · ‎05-18-2016

index=* usearch
|rex "\"version\": \"(?<major>\d)(?<minor1>\d{2})(?<minor2>\d{2})(<minor3>\d{3})\""  
|eval Version=major.".".minor1.".".minor2.".".minor3 
|eval Version=replace(Version,"0","")
|table Version

jkat54 · ‎05-18-2016

index=* usearch 
|rex "\"version\": \"(?\w*)\"" 
|dedup Version
|rex field=Version mode=sed "s/(\d)(\d{2})(\d{2})(\d{3})/\1.\2.\3.\4/g" 
|eval Version=replace(Version,"0","") 
|table Version

sundareshr · ‎05-18-2016

Try this

index=* usearch | rex "\"version\": \"(?\w*)\"" | dedup Version | eval version = replace(version,"0",".") | table Version

sundareshr · ‎05-18-2016

If you want both formats, try this

| eval version=version." OR ".replace(version, "\.", "0")

robertlynch2020 · ‎04-13-2017

is there anyway to replace all non alphanumeric with a value?

somesoni2 · ‎04-13-2017

What is your use-case? Can you provide some sample of current and expected values?

robertlynch2020 · ‎04-13-2017

Thanks for your help

In Datamodels, i am trying to change the data i am reading in to have only alphanumeric

What i have
peter hi
ex⁢
field=1;like&
name
john

What i want
peterhi
exit
field1like
name
john

so i have been trying the following and it working for one, but i want one command for all non alphanumeric.
replace(Context,";","")
replace(Context,"=","")
replace(Context," ","")
replace(Context,"&","")

jkat54 · ‎04-13-2017

Just use \W instead of each non-alphanumeric character you're currently using.

replace(Context,"\W","")

robertlynch2020 · ‎04-14-2017

This worked, thanks :).

However i have another issues where i am trying to do the same thing in props.conf
However i cant seem to get the REG to work

(?P<Elapsed>\w+)|

The idea is to change the Data at the initial point.

any help would be great 🙂

So the data is

20151029|12:31:00|MUREXFO   |     1 |SessionCreate                 |MXDIS..&PATCHER                  |   0.21s|   0.22s|100%|  -0.01s|   0% |                                      |1065.44Mb
20151029|12:31:00|MUREXFO   |     2 |RequestDocument3              |MXD~'##ISPATCHER                  |   0.01s|   0.03s|100%|  -0.02s|   0% |                                      |1065.65Mb
20151029|12:31:00|MUREXFO   |     3 |RequestDocument3              |MXDISP..??ATCHER                  |   0.01s|   0.01s|100%|   0.00s|   0% |

The code i have is

^(?:[^\|\n]*\|){5}(?P<Command>\w+)| *-*(?P<Elapsed2>\d+\.\d+)\w+\| *-*(?P<CPU>\d+\.\d+)s\| *-*(?P<CPU_PER>\d+)%\| *-*(?P<RDB_COM>\d+\.\d+)s\| *-*(?P<RDB_COM_PER>\d+)%\s+\|

The issues is i am only getting the first few characters, and i want all alpha-numeric the pipe |

So i have
MXDIS..&PATCHER
MXD~'##ISPATCHER
MXDISP..??ATCHER

I want
MXDISPATCHER
MXDISPATCHER
MXDISPATCHER

jkat54 · ‎04-14-2017

You should open a new question for this. Thanks!

jkat54 · ‎04-13-2017

Use this regex for the match

\W

Only it will match underscore too.

somesoni2 · ‎05-18-2016

Try something like this.

| gentimes start=-1 | eval Version="60101228 50201315" | makemv Version | mvexpand Version | table Version 
| eval Version1=replace(Version,"^(\d)(\d{2})(\d{2})(\d+)","\1\2\3\4 OR \1.\2.\3.\4")  
| eval Version2=replace(Version1,"(\d+)\sOR\s(\d)\.0*([^\.]+)\.0*([^\.]+)\.([^\.]+)","\1 OR \2.\3.\4.\5")

Line 1 is just to generate sample data, replace it with your search
Line two gives a conversion (with leading 0s). If that works you can use just the line 2. If not, use both line 2 and line 3.

AshimaE · ‎07-06-2017

@somesoni2 I tried a similar thing. On using two evals it is giving the error Error in 'eval' command: Regex: quantifier does not follow a repeatable item I need to need to replace two different original character sequences with the same replacement character.

guillecasco · ‎05-18-2016

how about the other way round?

version
1.2.3

to

version
1.2.3 or 10203

guillecasco · ‎05-18-2016

maybe I wasn't quite clear. This is the search and results.

index=* usearch |rex "\"version\": \"(?\w*)\"" |dedup Version |table Version

Version
60201327
60201528
60201827
60201429
50201219
50201413

now i would like to replace those value for :
Version
60201327 OR 6.2.1327
60201528 OR 6.2.1528

jkat54 · ‎05-18-2016

It's exactly what he gave but slightly modified:

 index=* usearch |rex "\"version\": \"(?\w*)\"" |dedup Version
| eval Version1=replace(Version,"^(\d)(\d{2})(\d{2})(\d+)","\1\2\3\4 OR \1.\2.\3.\4")  
| eval Version=replace(Version1,"(\d+)\sOR\s(\d)\.0*([^\.]+)\.0*([^\.]+)\.([^\.]+)","\1 OR \2.\3.\4.\5")
| table Version

guillecasco · ‎05-18-2016

yes but how can i do it without the 0 in the second part? i have it like this:

Version
30201425 OR 3.02.01.425
30201424 OR 3.02.01.424

just need the 3.2.1.425

guillecasco · ‎05-18-2016

sorry i missunderstood, it´s working now, thanks!

jmallorquin · ‎05-18-2016

Hi,

Yes but with rex

|rex field=Version "(?<1>.)(?<2>.)(?<3>....)
| eval Version = 1.".".2.".".3

Hope i help you

How to use eval to change a field's value?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!