Splunk Search
Highlighted

How to write a Calculated field by extracting a value from an existing field using REGEX

Explorer

Hi Experts,

I'd want to create a calculated field called domainName from the SourcePath field.
SourcePath field has this value: "/org/app/compdomain123port_host"

I need to extract the "domain123" string from the above field and store it in domainName calculated field
I had to probably write an eval expression since I had to store this field under "calculated fields" settings in Splunk.
But with eval, we cannot use rex I suppose, so how do I achieve this? Read some examples that we can use mvfilter along with a match function, but it didn't seem to work.

Any help would be appreciated 🙂

Regards,
Vinod

0 Karma
Highlighted

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

SplunkTrust
SplunkTrust

You can use rex:

| yoursearch
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

For example, the following:

| stats count
| eval SourcePath = "/org/app/comp_domain123_port_host"
| rex field=SourcePath "(?msi)^\/[^\/]+\/[^\/]+\/[^_]+_(?<domainName>[^_]+)"

Will create a new field called domainName with value domain123

0 Karma
Highlighted

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

Ultra Champion

Vinod, you can do it in the calculated fields settings by specifying the new field name in Name and the eval expression in the Eval expression field. I just tried it by placing replace(adjd_dt,"-","") there and it worked just fine.

Highlighted

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

Ultra Champion

But you are right Vinod, rex is a bit problematic in this case...

0 Karma
Highlighted

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

SplunkTrust
SplunkTrust

Combining rex from @javiergn and replace function from @ddrillic, use this as your calculated field definition (if updating using props.conf) OR just copy the part after EVAL-
props.conf

[yoursourcetype]
EVAL-domain=replace(SourcePath,"^\/[^\/]+\/[^\/]+\/[^_]+_([^_]+)","\1")
Highlighted

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

Builder

To my knowedge you cannot do this with an eval. I know this is not as convenient as a calculated field, but have you considered writing a rex command like the below and save it as a macro? That way you can invoke the extraction very quickly when needed.

mysearch | rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"
0 Karma
Highlighted

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

Splunk Employee
Splunk Employee

Any particular reason you need to this with a calculated field versus a field extraction? If you're open to the field extraction, then jedatt01's solution can be leveraged under Settings -> Field Extractions. You can set it as inline, which will end up being an EXTRACT in props.conf.

0 Karma
Highlighted

Re: How to write a Calculated field by extracting a value from an existing field using REGEX

Explorer

Thanks all for your answers; didn't expect so many answers in a short span 🙂
I now realize that Field Extraction would be a better choice, given that I actually need to be able to search on that extracted field (Calculated field is more for projecting the result I guess, I may be wrong).
I had created an extracted field called "domainName" through "settings -> Fields -> Extracted Fields" as below:

rex field=SourcePath "\/\w*\/\w*\/[a-zA-Z]*\_(?<domainName>[a-zA-Z0-9]*)"

I had enabled read permissions for "search" app. But I'm not able to search on this domainName
when I search with host=host123 domainName=domain123 , I don't get any results.

Search with host=host123 SourcePath = "/org/app/comp_domain123_port_host" returns results though.

Any clues ?

Another query: I don't find the "portName" extracted field in Selected fields, or interested fields or all fields sections. Is any configuration required to make them appear there?

0 Karma