Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Save an 'eval'-based field extraction?

andyspusm
Explorer
‎10-24-2011 10:07 AM

I am extracting a field "ipaddr" which is the result of using "eval" to convert a previously extracted field "nwclient_ip_hex" (IP address in hexadecimal, for example "a0b0c0d0") to decimal. The snippet below works fine in the Search app.

How can I save "ipaddr" as a field so that other users of the app will be able to use it without needing all of that logic in the search bar?

... |eval d1 = tonumber(substr(nwclient_ip_hex,1,2),16) |eval d2 = tonumber(substr(nwclient_ip_hex,3,2),16) |eval d3 = tonumber(substr(nwclient_ip_hex,5,2),16) |eval d4 = tonumber(substr(nwclient_ip_hex,7,2),16) |eval ipaddr = d1+"."+d2+"."+d3+"."+d4

Thanks - Andy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2011 01:03 PM

As of version 4.2.4, there is no way to do this. Search-time field extractions can only be simple substrings of the indexed data. You could encapsulate this logic in a macro, so the user sees less of the logic:

 ... | `convert_to_ip(nwclient_ip_hex)`

Where convert_to_ip() is defined as a macro that does the above. The user will still have to see the invocation of the macro, however.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2011 01:03 PM

As of version 4.2.4, there is no way to do this. Search-time field extractions can only be simple substrings of the indexed data. You could encapsulate this logic in a macro, so the user sees less of the logic:

 ... | `convert_to_ip(nwclient_ip_hex)`

Where convert_to_ip() is defined as a macro that does the above. The user will still have to see the invocation of the macro, however.

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎03-19-2013 11:34 PM

gkanapathy, any way to do this in 4.3 or 5.0?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...