Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Save an 'eval'-based field extraction?

andyspusm
Explorer
‎10-24-2011 10:07 AM

I am extracting a field "ipaddr" which is the result of using "eval" to convert a previously extracted field "nwclient_ip_hex" (IP address in hexadecimal, for example "a0b0c0d0") to decimal. The snippet below works fine in the Search app.

How can I save "ipaddr" as a field so that other users of the app will be able to use it without needing all of that logic in the search bar?

... |eval d1 = tonumber(substr(nwclient_ip_hex,1,2),16) |eval d2 = tonumber(substr(nwclient_ip_hex,3,2),16) |eval d3 = tonumber(substr(nwclient_ip_hex,5,2),16) |eval d4 = tonumber(substr(nwclient_ip_hex,7,2),16) |eval ipaddr = d1+"."+d2+"."+d3+"."+d4

Thanks - Andy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2011 01:03 PM

As of version 4.2.4, there is no way to do this. Search-time field extractions can only be simple substrings of the indexed data. You could encapsulate this logic in a macro, so the user sees less of the logic:

 ... | `convert_to_ip(nwclient_ip_hex)`

Where convert_to_ip() is defined as a macro that does the above. The user will still have to see the invocation of the macro, however.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2011 01:03 PM

As of version 4.2.4, there is no way to do this. Search-time field extractions can only be simple substrings of the indexed data. You could encapsulate this logic in a macro, so the user sees less of the logic:

 ... | `convert_to_ip(nwclient_ip_hex)`

Where convert_to_ip() is defined as a macro that does the above. The user will still have to see the invocation of the macro, however.

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎03-19-2013 11:34 PM

gkanapathy, any way to do this in 4.3 or 5.0?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...