Splunk Search

How to write a Calculated field by extracting a value from an existing field using REGEX

apvinod2003
Explorer

Hi Experts,

I'd want to create a calculated field called domainName from the SourcePath field.
SourcePath field has this value: "/org/app/comp_domain123_port_host"

I need to extract the "domain123" string from the above field and store it in domainName calculated field
I had to probably write an eval expression since I had to store this field under "calculated fields" settings in Splunk.
But with eval, we cannot use rex I suppose, so how do I achieve this? Read some examples that we can use mvfilter along with a match function, but it didn't seem to work.

Any help would be appreciated 🙂

Regards,
Vinod

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

Any particular reason you need to this with a calculated field versus a field extraction? If you're open to the field extraction, then jedatt01's solution can be leveraged under Settings -> Field Extractions. You can set it as inline, which will end up being an EXTRACT in props.conf.

0 Karma

apvinod2003
Explorer

Thanks all for your answers; didn't expect so many answers in a short span 🙂
I now realize that Field Extraction would be a better choice, given that I actually need to be able to search on that extracted field (Calculated field is more for projecting the result I guess, I may be wrong).
I had created an extracted field called "domainName" through "settings -> Fields -> Extracted Fields" as below:

rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"

I had enabled read permissions for "search" app. But I'm not able to search on this domainName
when I search with host=host123 domainName=domain123 , I don't get any results.

Search with host=host123 SourcePath = "/org/app/comp_domain123_port_host" returns results though.

Any clues ?

Another query: I don't find the "portName" extracted field in Selected fields, or interested fields or all fields sections. Is any configuration required to make them appear there?

0 Karma

jedatt01
Builder

To my knowedge you cannot do this with an eval. I know this is not as convenient as a calculated field, but have you considered writing a rex command like the below and save it as a macro? That way you can invoke the extraction very quickly when needed.

mysearch | rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"
0 Karma

ddrillic
Ultra Champion

Vinod, you can do it in the calculated fields settings by specifying the new field name in Name and the eval expression in the Eval expression field. I just tried it by placing replace(adjd_dt,"-","") there and it worked just fine.

ddrillic
Ultra Champion

But you are right Vinod, rex is a bit problematic in this case...

0 Karma

somesoni2
Revered Legend

Combining rex from @javiergn and replace function from @ddrillic, use this as your calculated field definition (if updating using props.conf) OR just copy the part after EVAL-
props.conf

[yoursourcetype]
EVAL-domain=replace(SourcePath,"^\/[^\/]+\/[^\/]+\/[^_]+_([^_]+)","\1")

javiergn
Super Champion

You can use rex:

| yoursearch
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

For example, the following:

| stats count
| eval SourcePath = "/org/app/comp_domain123_port_host"
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

Will create a new field called domainName with value domain123

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...