<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Why isn't this eval'd field available? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24638#M3913</link>
    <description>&lt;P&gt;I guess I don't see why you wouldn't just &lt;CODE&gt;| sort - _time&lt;/CODE&gt; instead.&lt;/P&gt;</description>
    <pubDate>Thu, 02 Aug 2012 21:29:15 GMT</pubDate>
    <dc:creator>gkanapathy</dc:creator>
    <dc:date>2012-08-02T21:29:15Z</dc:date>
    <item>
      <title>Why isn't this eval'd field available?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24635#M3910</link>
      <description>&lt;P&gt;I've got a query like this:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;sourcetype=blahdeblah earliest=... latest=...&lt;BR /&gt;
 | stats .... &lt;BR /&gt;
 | join ..[ search ... | more stats ...  ] &lt;BR /&gt;
 | eval date_numericmonth=strftime(_time,"%m")&lt;BR /&gt;
 | sort date_year desc, date_numericmonth desc, date_mday asc &lt;BR /&gt;
 | table fields .... date_year, date_month, date_mday, date_numericmonth&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Why is date_numericmonth empty in the resulting table? The sorting works as you would expect, and date_month shows up in the table just fine, so the date_numericmonth has a meaningful value, but for some reason I can't get it to show up in the results.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 12:11:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24635#M3910</guid>
      <dc:creator>LordVoldemort</dc:creator>
      <dc:date>2020-09-28T12:11:25Z</dc:date>
    </item>
    <item>
      <title>Re: Why isn't this eval'd field available?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24636#M3911</link>
      <description>&lt;P&gt;What fields are in the &lt;CODE&gt;stats&lt;/CODE&gt; commands? Note that if &lt;CODE&gt;_time&lt;/CODE&gt; is not a field output from &lt;CODE&gt;stats&lt;/CODE&gt;, then the eval will yield a null. Also note that the &lt;CODE&gt;date_*&lt;/CODE&gt; fields are basically independent of the &lt;CODE&gt;_time&lt;/CODE&gt; field (and in fact may not be the same, since &lt;CODE&gt;_time&lt;/CODE&gt; is UTC, while &lt;CODE&gt;date_*&lt;/CODE&gt; is event text time) so even if they're there, time may not be.&lt;/P&gt;</description>
      <pubDate>Thu, 02 Aug 2012 21:20:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24636#M3911</guid>
      <dc:creator>gkanapathy</dc:creator>
      <dc:date>2012-08-02T21:20:32Z</dc:date>
    </item>
    <item>
      <title>Re: Why isn't this eval'd field available?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24637#M3912</link>
      <description>&lt;P&gt;The stats is using the date_x fields, but the thing that confuses me is that the date_numericmonth is working for the sort command. I didn't realize that _time was necessary in UTC though. It seems like I might be better off extracting all of my date fields through evals()s, and if I understand correctly, all I need to do to make sure I can return all of them is aggregate by them in the stats command.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 12:11:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24637#M3912</guid>
      <dc:creator>LordVoldemort</dc:creator>
      <dc:date>2020-09-28T12:11:28Z</dc:date>
    </item>
    <item>
      <title>Re: Why isn't this eval'd field available?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24638#M3913</link>
      <description>&lt;P&gt;I guess I don't see why you wouldn't just &lt;CODE&gt;| sort - _time&lt;/CODE&gt; instead.&lt;/P&gt;</description>
      <pubDate>Thu, 02 Aug 2012 21:29:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24638#M3913</guid>
      <dc:creator>gkanapathy</dc:creator>
      <dc:date>2012-08-02T21:29:15Z</dc:date>
    </item>
    <item>
      <title>Re: Why isn't this eval'd field available?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24639#M3914</link>
      <description>&lt;P&gt;The sorting is a bit complicated, look at the asc, and desc's. Mostly though, I want to use the date_numericmonth in the splunk results and I can't if it isn't being returned.&lt;/P&gt;</description>
      <pubDate>Thu, 02 Aug 2012 22:37:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-this-eval-d-field-available/m-p/24639#M3914</guid>
      <dc:creator>LordVoldemort</dc:creator>
      <dc:date>2012-08-02T22:37:31Z</dc:date>
    </item>
  </channel>
</rss>

