Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What's the order of search time field extraction

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2013 01:33 AM

I have data like

whrchan-ros,FirstName,LastName,End User,Activated,Major Account,Group,Direct sales

I want to create a Company field at search time, which is the 3 character suffix. I have a field transform, which is

.*-(?<Company>[a-z]*$)

but I also want to convert any suffixes that are ros, to be rhk, so I have an eval calculated field of

Company=if(Company="ros","rhk",Company)

If I use eval in the search command it works, but it's not working via the calculated field definition, so I guess it's an order issue.

How can I make that substitution after the Company has first been extracted.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 06:33 AM

Calculated fields happen after field extractions (EXTRACT-aaa, REPORT-aaa). In your props.conf file enter the following and check again:

[my_sourcetype]
EXTRACT-company = .*-(?<Company>[a-z]*$)
EVAL-Company = if(Company="ros","rhk",Company)

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎10-25-2016 10:30 AM

Splunk now documents this very well. I highly recommend the The sequence of search-time operations page.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 06:33 AM

Calculated fields happen after field extractions (EXTRACT-aaa, REPORT-aaa). In your props.conf file enter the following and check again:

[my_sourcetype]
EXTRACT-company = .*-(?<Company>[a-z]*$)
EVAL-Company = if(Company="ros","rhk",Company)

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2013 10:02 PM

I worked out why mine wasn't working, I had the EVAL-Company in the host::* section, but had the REPORT-Company in the sourcetype stanza and I read that precedence is host first, so my Company field did not exist when it tried to make the substitutions. Fixed that and it worked.

Thanks for all the comments.

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 11:04 AM

No, in EXTRACT-xxx, the xxx can be anything as long as it's unique within a stanza. In EVAL-xxx, the xxx must be the field name.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-07-2013 11:00 AM

Ensure that field name is same in both the stanza.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...