Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to do calculated fields before search time?

ayusuf
Engager
‎08-15-2016 01:39 PM

I was using calculated fields, but then I started reading the documentation and saw that calculated fields are done during search-time.
https://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/definecalcfields

I'm thinking this doesn't really give me an advantage of having it inside of the search vs outside in a calculated field in terms of performance.

Is there anyway to do the calculated field before search time? or is it only done once during the first initial search?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-15-2016 04:22 PM

The point of a calculated field is not performance, it's keeping complexity out of multiple searches.
While you usually don't gain any performance compared to an inline eval command in your search, you also don't lose any.

By moving your case expression to a calculated field, you enable every searcher to use the result without having to know about how it was computed, without having to compute it themselves in the search, without having to update the expression in dozens of places in case something changed.

Shameless plug: For detailed thoughts on calculated fields' search performance considerations, attend my .conf2016 talk 😄

0 Karma
Reply

somesoni2
Revered Legend
‎08-15-2016 02:07 PM

Calculated fields can be created during search time only. There is no expression evaluation available at index-time (only regex replacement /extraction is available). What are doing in the calculated field BTW?

0 Karma
Reply

ayusuf
Engager
‎08-15-2016 02:12 PM

@somesoni2, I'm doing an eval, in particular a case that statement with several match expressions. Besides calculated field is there another way to create a field before search time?

0 Karma
Reply

somesoni2
Revered Legend
‎08-15-2016 02:17 PM

There are, but as I said earlier, they can't be created using an expression, like eval-case. See more on Indexed-time field extraction here. Please note that they require additional processing time (at index time) and storage on indexers.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configureindex-timefieldextraction

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...