- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
I have data like
whrchan-ros,FirstName,LastName,End User,Activated,Major Account,Group,Direct sales
I want to create a Company field at search time, which is the 3 character suffix. I have a field transform, which is
.*-(?<Company>[a-z]*$)
but I also want to convert any suffixes that are ros, to be rhk, so I have an eval calculated field of
Company=if(Company="ros","rhk",Company)
If I use eval in the search command it works, but it's not working via the calculated field definition, so I guess it's an order issue.
How can I make that substitution after the Company has first been extracted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Calculated fields happen after field extractions (EXTRACT-aaa, REPORT-aaa). In your props.conf file enter the following and check again:
[my_sourcetype]
EXTRACT-company = .*-(?<Company>[a-z]*$)
EVAL-Company = if(Company="ros","rhk",Company)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk now documents this very well. I highly recommend the The sequence of search-time operations page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Calculated fields happen after field extractions (EXTRACT-aaa, REPORT-aaa). In your props.conf file enter the following and check again:
[my_sourcetype]
EXTRACT-company = .*-(?<Company>[a-z]*$)
EVAL-Company = if(Company="ros","rhk",Company)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
I worked out why mine wasn't working, I had the EVAL-Company in the host::* section, but had the REPORT-Company in the sourcetype stanza and I read that precedence is host first, so my Company field did not exist when it tried to make the substitutions. Fixed that and it worked.
Thanks for all the comments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
No, in EXTRACT-xxx, the xxx
can be anything as long as it's unique within a stanza. In EVAL-xxx, the xxx
must be the field name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
Ensure that field name is same in both the stanza.
![](/skins/images/5D2DD17C284106BFBF80528D01D8AA1A/responsive_peak/images/icon_anonymous_message.png)