Splunk Search

extract from calculated field

pwattssplunk
Splunk Employee
Splunk Employee

I can't find anything that says you can't do a field extraction from a calculated field, but I found that this works in props.conf:

[psft_weblogic_access]
EVAL-url = urldecode(url_encoded)
EXTRACT-url_encoded = (GET|POST)\s(?P.?)\s
EXTRACT-url_path = (?P.
?)(\?|$) in url_encoded

but this does not work--url_path is not extracted:

[psft_weblogic_access]
EVAL-url = urldecode(url_encoded)
EXTRACT-url_encoded = (GET|POST)\s(?P.?)\s
EXTRACT-url_path = (?P.
?)(\?|$) in url

Is that a limitation?

(url_path is meant to grab everything up to the first "?" or to the end of the url.)

Tags (1)
0 Karma
1 Solution

_d_
Splunk Employee
Splunk Employee

Calculated fields happen after field aliasing (which happens after ALL field extractions) but before lookups. What you're observing here is the correct behavior and not a limitation. eval is flexible enough to allow you to wrangle and mold field/strings to the desired shape. Your first example "works" because you're not extracting anything from url after it is calculated. Your second example, as expected, does not work because you're trying to extract from an EVALed field.

Also, note that you can't EVAL an EVALed field, but nothing prevents you from making your eval statement as complex as necessary:

[psft_weblogic_access]
EVAL-url_path = replace(urldecode(url_encoded), "([^?]+).*$", "\1")

d.

View solution in original post

_d_
Splunk Employee
Splunk Employee

Calculated fields happen after field aliasing (which happens after ALL field extractions) but before lookups. What you're observing here is the correct behavior and not a limitation. eval is flexible enough to allow you to wrangle and mold field/strings to the desired shape. Your first example "works" because you're not extracting anything from url after it is calculated. Your second example, as expected, does not work because you're trying to extract from an EVALed field.

Also, note that you can't EVAL an EVALed field, but nothing prevents you from making your eval statement as complex as necessary:

[psft_weblogic_access]
EVAL-url_path = replace(urldecode(url_encoded), "([^?]+).*$", "\1")

d.

gkanapathy
Splunk Employee
Splunk Employee

It is likely that EXTRACTs all run before EVALs, so you would not be able to extract this way. However, you may be able to instead use REPORT/transforms.conf to extract from EVAL. REPORTs run after EXTRACTs, but I do not know if they run after EVALs. If they do, you should be able to use:

REPORT-url_path = url_path

and in transforms.conf:

[url_path]
SOURCE_KEY = url
REGEX = (?<url_path>.?)(?|$)

in place of the corresponding EXTRACT.

0 Karma
Get Updates on the Splunk Community!

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...