Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Save an 'eval'-based field extraction?

andyspusm
Explorer
‎10-24-2011 10:07 AM

I am extracting a field "ipaddr" which is the result of using "eval" to convert a previously extracted field "nwclient_ip_hex" (IP address in hexadecimal, for example "a0b0c0d0") to decimal. The snippet below works fine in the Search app.

How can I save "ipaddr" as a field so that other users of the app will be able to use it without needing all of that logic in the search bar?

... |eval d1 = tonumber(substr(nwclient_ip_hex,1,2),16) |eval d2 = tonumber(substr(nwclient_ip_hex,3,2),16) |eval d3 = tonumber(substr(nwclient_ip_hex,5,2),16) |eval d4 = tonumber(substr(nwclient_ip_hex,7,2),16) |eval ipaddr = d1+"."+d2+"."+d3+"."+d4

Thanks - Andy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2011 01:03 PM

As of version 4.2.4, there is no way to do this. Search-time field extractions can only be simple substrings of the indexed data. You could encapsulate this logic in a macro, so the user sees less of the logic:

 ... | `convert_to_ip(nwclient_ip_hex)`

Where convert_to_ip() is defined as a macro that does the above. The user will still have to see the invocation of the macro, however.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2011 01:03 PM

As of version 4.2.4, there is no way to do this. Search-time field extractions can only be simple substrings of the indexed data. You could encapsulate this logic in a macro, so the user sees less of the logic:

 ... | `convert_to_ip(nwclient_ip_hex)`

Where convert_to_ip() is defined as a macro that does the above. The user will still have to see the invocation of the macro, however.

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎03-19-2013 11:34 PM

gkanapathy, any way to do this in 4.3 or 5.0?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...