- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting calculated fields from an XML input doe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to extract some fields from an XML input. The sourcetype is set up correctly, and I get all kinds of extracted fields with long names such as objectdata.general.timestamp, objectdata.general.width{@unit} etc. My problem is this: calculated fields simply don't pick up the field names extracted from XML. For example, if I have an event looking like this:
<objectdata>
...
<general>
...
<width unit="inch">
<value>17.3</value>
</width>
...
</general>
...
</objectdata>
In search, I see objectdata.general.width{@unit} as 'inch' and objectdata.general.width.value as 17.3. However, some of the objects have their width in 'mm', which, of course, needs to be divided by 25.4 to be converted to inches.
I wanted to calculate a new field and put this calculation in props.conf:
EVAL-objectWidth = objectdata.general.width.value / if(objectdata.general.width{@unit}=='mm',25.4,1)
but it doesn't work. No objectWidth field is created. I suspect it has something to do with the order of field extractions and evaluations in the pipeline. Is there a reasonable way to achieve what I want without putting the calculations into the search command each time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's likely due to the field names containing special characters. You could use a fieldalias to rename the fields, and then do the EVAL with the renamed fields, or you could try this:
EVAL-objectWidth = 'objectdata.general.width.value' / (if('objectdata.general.width{@unit}'="mm",25.4,1))
FYI I have not tested the above EVAL expression
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's likely due to the field names containing special characters. You could use a fieldalias to rename the fields, and then do the EVAL with the renamed fields, or you could try this:
EVAL-objectWidth = 'objectdata.general.width.value' / (if('objectdata.general.width{@unit}'="mm",25.4,1))
FYI I have not tested the above EVAL expression
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also tried to use FIELDALIAS. The fields are aliased quite well, but the EVAL (working in search strings) is not working in props.conf :(.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Troubleshooting tip: Test the EVAL in search and get it to work there before putting it into props.conf 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, those single quotes around the names helped me in at least one other place - I had to distinguish between objectdata.timestamp and objectdata.general.timestamp, and EVAL-MyTimestamp='objectdata.general.timestamp' did solve this (I was not using single quotes previously).
However, the more complex eval with the if did not benefit enough from those - no field generated :(. And the eval does work from the search string! I tried both == and a single = as a comparison operator in props.conf to no avail. Search string accepts the C-style comparison (==) just fine.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
