Splunk Search

My eval statement works in a direct inline search, but why is my calculated field configuration in props.conf not working?

chrisboy68
Contributor

Hi,

I have this in my props.conf

[emailAlerts2]
EVAL-Application = if(match(_raw,"\<EcomLogEntry\>\nDate:\s+\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d-0400"),"MyApp",Application)

But I'm banging my head why it's not working. When I do a direct inline search:

sourcetype=emailAlerts2 | eval Application = if(match(_raw,"\<EcomLogEntry\>\nDate:\s+\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d-0400"),"MyApp",Application)

It works! Any ideas? Stumped ...

Chris

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The regex stuff in the props.conf file is different from an eval expression. You can't use if and functions like match.

Regex expressions should be able to match what you want, but you haven't given an example of your data.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Sorry, I was confusing the EVAL in the props.conf a bit there.

Yes, you can do eval statements in the props.conf file. I do know there are some differences, but I don't think they relate to your eval statement.

Your example data doesn't have the leading \\n so I'm not sure what your data looks like still. Are you just trying to do some field extractions at index time? Are you sure you want to do it then, and not at search time (with a field extraction, or rex)? That way if your data changes, you are not making bad field extractions. One of the great benefits of Splunk is applying the structure on the data at search time and not at index time.

I hope I'm not bugging you with stupid questions or assumptions. I'm really trying to help as much as I can. 🙂

chrisboy68
Contributor

Hmm, sorry I didnt format the sample data. I'll try again below, but it looks like the code block may not work in the for comments.

Its just cleaner to have at index time so I can build dashboards on different "applications" that are the same source type and source.

Thanks for your help!

<EcomLogEntry>
Date: 2015-03-26T08:56:00-0400
Date: 3/26/2015 8:56 AM
Server: MyServer
Url: http://foobar.com
Exception Type: System.Web.HttpUnhandledException
Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.
</EcomLogEntry>
0 Karma

chrisboy68
Contributor

Ok, i think I see why its happening, but I'm not sure how to fix it. I have two Field Calculations for the same Source with the same field name "Applicaiton". See below

if(match(_raw,"\nDate:\s+\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d-0400"),"MyApp",Application)

if(match(_raw,"\nMyApp2"),"MyApp2",Application)

It appears as though the first one hit gets resolved. When I deleted an readded a field calculation, the one that did not work, started working.

So, should I put this all on one line somehow?

Tx

Chris

0 Karma

chrisboy68
Contributor

Got a work around. My if statement was wonky. Below works fine for my and my environment.

if(match(_raw,"nDate:s+dddd-dd-ddTdd:dd:dd-0400"),"MyApp", "MyApp2")

Thanks!

Chris

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

That brings to mind the possibility that "Application" is not yet understood as a field when this is being done at index time. If it is extracted later than the time that the props.conf rule is executed, then it would not have anything to use for Application and then possible fail the rule entirely. So when you use two strings in your work around, it is able to do the substitution because the strings are appropriately defined.

Not sure if this is the case, but it seems like a plausible explanation.

0 Karma

chrisboy68
Contributor

Hi, thanks for your reply. Sample data below.

However, I'm confused. The EVAL on inline search has different syntax specs than the EVAL in the Props.conf?

Date: 2015-03-25T14:47:00-0400
Date: 3/25/2015 2:47 PM
Server: ServerName
Url: http://www.foobar.com
Exception Type: System.Web.HttpUnhandledException

Thank you,

Chris

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...