Splunk Search

How to write a Calculated field by extracting a value from an existing field using REGEX

apvinod2003
Explorer

Hi Experts,

I'd want to create a calculated field called domainName from the SourcePath field.
SourcePath field has this value: "/org/app/comp_domain123_port_host"

I need to extract the "domain123" string from the above field and store it in domainName calculated field
I had to probably write an eval expression since I had to store this field under "calculated fields" settings in Splunk.
But with eval, we cannot use rex I suppose, so how do I achieve this? Read some examples that we can use mvfilter along with a match function, but it didn't seem to work.

Any help would be appreciated 🙂

Regards,
Vinod

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

Any particular reason you need to this with a calculated field versus a field extraction? If you're open to the field extraction, then jedatt01's solution can be leveraged under Settings -> Field Extractions. You can set it as inline, which will end up being an EXTRACT in props.conf.

0 Karma

apvinod2003
Explorer

Thanks all for your answers; didn't expect so many answers in a short span 🙂
I now realize that Field Extraction would be a better choice, given that I actually need to be able to search on that extracted field (Calculated field is more for projecting the result I guess, I may be wrong).
I had created an extracted field called "domainName" through "settings -> Fields -> Extracted Fields" as below:

rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"

I had enabled read permissions for "search" app. But I'm not able to search on this domainName
when I search with host=host123 domainName=domain123 , I don't get any results.

Search with host=host123 SourcePath = "/org/app/comp_domain123_port_host" returns results though.

Any clues ?

Another query: I don't find the "portName" extracted field in Selected fields, or interested fields or all fields sections. Is any configuration required to make them appear there?

0 Karma

jedatt01
Builder

To my knowedge you cannot do this with an eval. I know this is not as convenient as a calculated field, but have you considered writing a rex command like the below and save it as a macro? That way you can invoke the extraction very quickly when needed.

mysearch | rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"
0 Karma

ddrillic
Ultra Champion

Vinod, you can do it in the calculated fields settings by specifying the new field name in Name and the eval expression in the Eval expression field. I just tried it by placing replace(adjd_dt,"-","") there and it worked just fine.

ddrillic
Ultra Champion

But you are right Vinod, rex is a bit problematic in this case...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Combining rex from @javiergn and replace function from @ddrillic, use this as your calculated field definition (if updating using props.conf) OR just copy the part after EVAL-
props.conf

[yoursourcetype]
EVAL-domain=replace(SourcePath,"^\/[^\/]+\/[^\/]+\/[^_]+_([^_]+)","\1")

javiergn
SplunkTrust
SplunkTrust

You can use rex:

| yoursearch
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

For example, the following:

| stats count
| eval SourcePath = "/org/app/comp_domain123_port_host"
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

Will create a new field called domainName with value domain123

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...