Solved: Can you do a multiline eval command in a datamodel...

ebs · ‎07-27-2021

Whenever I've created eval fields before in a data model they're just a single command. Is it possible to do a multiline eval command for a field? This is what I want to make into a single field:

| eval AEST_time=_time+36000
| convert timeformat="%Y-%m-%dT%H:%M:%S.%3Q %Z" ctime(AEST_time)
| eval epoch=strptime(AEST_time, "%Y-%m-%dT%H:%M:%S.%3Q %Z")
| eval date=strftime(epoch, "%Y-%m-%d")

venkatasri · ‎07-27-2021

Hi @ebs

You shall get the same output with this, when you add something to _time it will be by default coverted to ePoch

| eval date=strftime(toNumber(_time+36000), "%Y-%m-%d")

View solution in original post

venkatasri · ‎07-27-2021

Hi @ebs

You shall get the same output with this, when you add something to _time it will be by default coverted to ePoch

| eval date=strftime(toNumber(_time+36000), "%Y-%m-%d")

ebs · ‎07-28-2021

Thanks!

Can you do a multiline eval command in a datamodel for an eval field?

calculated field

data model

field extraction

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation