I have this in my props.conf
[emailAlerts2] EVAL-Application = if(match(_raw,"\<EcomLogEntry\>\nDate:\s+\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d-0400"),"MyApp",Application)
But I'm banging my head why it's not working. When I do a direct inline search:
sourcetype=emailAlerts2 | eval Application = if(match(_raw,"\<EcomLogEntry\>\nDate:\s+\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d-0400"),"MyApp",Application)
It works! Any ideas? Stumped ...
The regex stuff in the props.conf file is different from an eval expression. You can't use
if and functions like
Regex expressions should be able to match what you want, but you haven't given an example of your data.
Sorry, I was confusing the EVAL in the props.conf a bit there.
Yes, you can do eval statements in the props.conf file. I do know there are some differences, but I don't think they relate to your eval statement.
Your example data doesn't have the leading
\\n so I'm not sure what your data looks like still. Are you just trying to do some field extractions at index time? Are you sure you want to do it then, and not at search time (with a field extraction, or rex)? That way if your data changes, you are not making bad field extractions. One of the great benefits of Splunk is applying the structure on the data at search time and not at index time.
I hope I'm not bugging you with stupid questions or assumptions. I'm really trying to help as much as I can. 🙂
Hmm, sorry I didnt format the sample data. I'll try again below, but it looks like the code block may not work in the for comments.
Its just cleaner to have at index time so I can build dashboards on different "applications" that are the same source type and source.
Thanks for your help!
<EcomLogEntry> Date: 2015-03-26T08:56:00-0400 Date: 3/26/2015 8:56 AM Server: MyServer Url: http://foobar.com Exception Type: System.Web.HttpUnhandledException Message: Exception of type 'System.Web.HttpUnhandledException' was thrown. </EcomLogEntry>
Ok, i think I see why its happening, but I'm not sure how to fix it. I have two Field Calculations for the same Source with the same field name "Applicaiton". See below
It appears as though the first one hit gets resolved. When I deleted an readded a field calculation, the one that did not work, started working.
So, should I put this all on one line somehow?
That brings to mind the possibility that "Application" is not yet understood as a field when this is being done at index time. If it is extracted later than the time that the props.conf rule is executed, then it would not have anything to use for Application and then possible fail the rule entirely. So when you use two strings in your work around, it is able to do the substitution because the strings are appropriately defined.
Not sure if this is the case, but it seems like a plausible explanation.
Hi, thanks for your reply. Sample data below.
However, I'm confused. The EVAL on inline search has different syntax specs than the EVAL in the Props.conf?
Date: 3/25/2015 2:47 PM
Exception Type: System.Web.HttpUnhandledException