Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What's the order of search time field extraction

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2013 01:33 AM

I have data like

whrchan-ros,FirstName,LastName,End User,Activated,Major Account,Group,Direct sales

I want to create a Company field at search time, which is the 3 character suffix. I have a field transform, which is

.*-(?<Company>[a-z]*$)

but I also want to convert any suffixes that are ros, to be rhk, so I have an eval calculated field of

Company=if(Company="ros","rhk",Company)

If I use eval in the search command it works, but it's not working via the calculated field definition, so I guess it's an order issue.

How can I make that substitution after the Company has first been extracted.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 06:33 AM

Calculated fields happen after field extractions (EXTRACT-aaa, REPORT-aaa). In your props.conf file enter the following and check again:

[my_sourcetype]
EXTRACT-company = .*-(?<Company>[a-z]*$)
EVAL-Company = if(Company="ros","rhk",Company)

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎10-25-2016 10:30 AM

Splunk now documents this very well. I highly recommend the The sequence of search-time operations page.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 06:33 AM

Calculated fields happen after field extractions (EXTRACT-aaa, REPORT-aaa). In your props.conf file enter the following and check again:

[my_sourcetype]
EXTRACT-company = .*-(?<Company>[a-z]*$)
EVAL-Company = if(Company="ros","rhk",Company)

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2013 10:02 PM

I worked out why mine wasn't working, I had the EVAL-Company in the host::* section, but had the REPORT-Company in the sourcetype stanza and I read that precedence is host first, so my Company field did not exist when it tried to make the substitutions. Fixed that and it worked.

Thanks for all the comments.

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 11:04 AM

No, in EXTRACT-xxx, the xxx can be anything as long as it's unique within a stanza. In EVAL-xxx, the xxx must be the field name.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-07-2013 11:00 AM

Ensure that field name is same in both the stanza.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...