Getting Data In

Calculated field configuration (EVAL) not working in props.conf

513239
Explorer

I am trying to use a filed in calculated fields from props.conf to replace space in one of my field values but not getting any results in Splunk 6.2.

Below is EVAL stanza from props.conf -

EVAL-Customer_Id_New=replace(Customer_Id," ","")

Not getting any new field "Customer_Id_New" in interesting field for that sourcetype. Please help me if you can.

Thanks in advance

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Make sure the Customer_Id field is actually present at the time calculated fields are executed, and that it's not a calculated field itself.

Sequence reference: http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Searchtimeoperationssequence#Search-time...

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

More common errors to check:

  • Are you in the right app/user context?
  • Is the calculated field defined for the right sourcetype, source, or host?
0 Karma

arunsunny
Path Finder

@martin_mueller - I have a question on declaring calculated field names with spaces?

For Example:
EVAL-Cricket Team Name=team_name

Will this work?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sounds like a new question, so please create one. While you do that, also test if your calcfield works.

0 Karma

513239
Explorer

Yes. Customer_Id field is present at the time calculated fields are executed, and it's not a calculated field.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you added a knowledge object through the UI it is by default stored in your user context, etc/users/name/appname/local/props.conf - to move it to the app context etc/apps/appname/local/props.conf you need to share the knowledge object within the app.

0 Karma

anantdeshpande
Path Finder

Hi, I have similar problem when entered from backed in props.conf. However calculated field works when wrote eval from GUI front end.

But after restart of the splunk instances also, i do not see any entry added in that sourcetype stanza.
New field always appears.

Question is where does splunk keeps entry of calculated fields?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...