Hello
Is there a way that one calculated field can pull data from another calculated field?
I have created 2 calculated fields Fields » Calculated fields. One based on the other.
e.g
FirstOne= "A"
SecondOne=FirstOne."A"
After doing this in Splunk Web, that is not possible. Maybe there is a way to set up this in conf files?
thank you
The documentation says that this is not possible:
When Splunk Enterprise evaluates calculated fields, it evaluates each expression as if it were independent of all of the others. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/definecalcfields
The documentation says that this is not possible:
When Splunk Enterprise evaluates calculated fields, it evaluates each expression as if it were independent of all of the others. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/definecalcfields
This should do:
... | eval foo=4 | eval bar=foo+4
The "trick" is to complete calculation of the first fields before using it in another since there is no specific order in which fields are calculated.
I was more referring to set up caclulated fields in Fields » Calculated fields not in the search.