Splunk Search

How to write a Calculated field by extracting a value from an existing field using REGEX

apvinod2003
Explorer

Hi Experts,

I'd want to create a calculated field called domainName from the SourcePath field.
SourcePath field has this value: "/org/app/comp_domain123_port_host"

I need to extract the "domain123" string from the above field and store it in domainName calculated field
I had to probably write an eval expression since I had to store this field under "calculated fields" settings in Splunk.
But with eval, we cannot use rex I suppose, so how do I achieve this? Read some examples that we can use mvfilter along with a match function, but it didn't seem to work.

Any help would be appreciated 🙂

Regards,
Vinod

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

Any particular reason you need to this with a calculated field versus a field extraction? If you're open to the field extraction, then jedatt01's solution can be leveraged under Settings -> Field Extractions. You can set it as inline, which will end up being an EXTRACT in props.conf.

0 Karma

apvinod2003
Explorer

Thanks all for your answers; didn't expect so many answers in a short span 🙂
I now realize that Field Extraction would be a better choice, given that I actually need to be able to search on that extracted field (Calculated field is more for projecting the result I guess, I may be wrong).
I had created an extracted field called "domainName" through "settings -> Fields -> Extracted Fields" as below:

rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"

I had enabled read permissions for "search" app. But I'm not able to search on this domainName
when I search with host=host123 domainName=domain123 , I don't get any results.

Search with host=host123 SourcePath = "/org/app/comp_domain123_port_host" returns results though.

Any clues ?

Another query: I don't find the "portName" extracted field in Selected fields, or interested fields or all fields sections. Is any configuration required to make them appear there?

0 Karma

jedatt01
Builder

To my knowedge you cannot do this with an eval. I know this is not as convenient as a calculated field, but have you considered writing a rex command like the below and save it as a macro? That way you can invoke the extraction very quickly when needed.

mysearch | rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"
0 Karma

ddrillic
Ultra Champion

Vinod, you can do it in the calculated fields settings by specifying the new field name in Name and the eval expression in the Eval expression field. I just tried it by placing replace(adjd_dt,"-","") there and it worked just fine.

ddrillic
Ultra Champion

But you are right Vinod, rex is a bit problematic in this case...

0 Karma

somesoni2
Revered Legend

Combining rex from @javiergn and replace function from @ddrillic, use this as your calculated field definition (if updating using props.conf) OR just copy the part after EVAL-
props.conf

[yoursourcetype]
EVAL-domain=replace(SourcePath,"^\/[^\/]+\/[^\/]+\/[^_]+_([^_]+)","\1")

javiergn
Super Champion

You can use rex:

| yoursearch
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

For example, the following:

| stats count
| eval SourcePath = "/org/app/comp_domain123_port_host"
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

Will create a new field called domainName with value domain123

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...