Solved: Re: Use double eval function for an extracted fiel...

soumyacharya91 · ‎04-24-2018

Hi All,

I have extracted a field from my raw data using eval replace function. Now I want to use the eval split function on that recently extrated field in props.conf. Please find the below command for details.

[sourcetype]
EVAL-field1 = replace(,"[][\"]","") This extraction is working fine.

Now I want to split the field1 values by using EVAL-field1=split(,",")

But I'm unable to do the second extraction. Any help will be highly appreciated.

Thanks,

FrankVl · ‎04-24-2018

Just write it in 1 eval statement:

EVAL-field1 = split(replace(,"[\][\"]",""),",")

PS: what did you have as the first parameter of the replace function? Why did you leave that out of your example? I left it blank in my code above as well, but that should contain a field name I guess?

View solution in original post

FrankVl · ‎04-24-2018

Just write it in 1 eval statement:

EVAL-field1 = split(replace(,"[\][\"]",""),",")

PS: what did you have as the first parameter of the replace function? Why did you leave that out of your example? I left it blank in my code above as well, but that should contain a field name I guess?

soumyacharya91 · ‎04-24-2018

Yes you are absolutely right. My mistake I missed that entry. I tried this and it is working fine.

Thanks alot 🙂

Use double eval function for an extracted field

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk