Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculated field configuration (EVAL) not working in props.conf

513239
Explorer
‎02-14-2017 11:26 PM

I am trying to use a filed in calculated fields from props.conf to replace space in one of my field values but not getting any results in Splunk 6.2.

Below is EVAL stanza from props.conf -

EVAL-Customer_Id_New=replace(Customer_Id," ","")

Not getting any new field "Customer_Id_New" in interesting field for that sourcetype. Please help me if you can.

Thanks in advance

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2017 04:47 AM

Make sure the Customer_Id field is actually present at the time calculated fields are executed, and that it's not a calculated field itself.

Sequence reference: http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Searchtimeoperationssequence#Search-time...

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-16-2017 01:49 AM

More common errors to check:

  • Are you in the right app/user context?
  • Is the calculated field defined for the right sourcetype, source, or host?
0 Karma
Reply

arunsunny
Path Finder
‎02-10-2020 11:54 PM

@martin_mueller - I have a question on declaring calculated field names with spaces?

For Example:
EVAL-Cricket Team Name=team_name

Will this work?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-11-2020 12:27 AM

Sounds like a new question, so please create one. While you do that, also test if your calcfield works.

0 Karma
Reply

513239
Explorer
‎02-16-2017 01:35 AM

Yes. Customer_Id field is present at the time calculated fields are executed, and it's not a calculated field.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-17-2017 12:15 AM

If you added a knowledge object through the UI it is by default stored in your user context, etc/users/name/appname/local/props.conf - to move it to the app context etc/apps/appname/local/props.conf you need to share the knowledge object within the app.

0 Karma
Reply

anantdeshpande
Path Finder
‎02-16-2017 06:16 PM

Hi, I have similar problem when entered from backed in props.conf. However calculated field works when wrote eval from GUI front end.

But after restart of the splunk instances also, i do not see any entry added in that sourcetype stanza.
New field always appears.

Question is where does splunk keeps entry of calculated fields?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...