Solved: Can you do a multiline eval command in a datamodel...

ebs · ‎07-27-2021

Whenever I've created eval fields before in a data model they're just a single command. Is it possible to do a multiline eval command for a field? This is what I want to make into a single field:

| eval AEST_time=_time+36000
| convert timeformat="%Y-%m-%dT%H:%M:%S.%3Q %Z" ctime(AEST_time)
| eval epoch=strptime(AEST_time, "%Y-%m-%dT%H:%M:%S.%3Q %Z")
| eval date=strftime(epoch, "%Y-%m-%d")

venkatasri · ‎07-27-2021

Hi @ebs

You shall get the same output with this, when you add something to _time it will be by default coverted to ePoch

| eval date=strftime(toNumber(_time+36000), "%Y-%m-%d")

View solution in original post

venkatasri · ‎07-27-2021

Hi @ebs

You shall get the same output with this, when you add something to _time it will be by default coverted to ePoch

| eval date=strftime(toNumber(_time+36000), "%Y-%m-%d")

ebs · ‎07-28-2021

Thanks!

Can you do a multiline eval command in a datamodel for an eval field?

calculated field

data model

field extraction

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation