Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Calculated field in DB Connect
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have done testing the calculated fields for Splunk DB Connect in my local machine. Basically I added props.conf file to the following folder: %SPLUNK_HOM%\etc\apps\dbx\local
In the file, I have something like this
[MySoureType]
EVAL-cpu_time_s = CPU / 1000
EVAL-duration_s = Duration / (1000 * 1000)
It works perfectly in my local environment, I can see those fields (cpu_time_s, duration_s) show up in the search. However, when I implement in the actual server (a dedicated heavy forwarder installed with Dbx in a distributed environment), I can't find those fields anymore.
Any reason why it behaves differently? How should I troubleshoot this situation.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somehow I need to move that configuration into indexers, rather than in DB connect dedicated server. Now those calculated fields work as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somehow I need to move that configuration into indexers, rather than in DB connect dedicated server. Now those calculated fields work as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Probably, in your distributed enviroment, the fields CPU and Duration are not beign exctracted properly, and because of that the calculated fields doesn´t work either
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I want to move/test EVAL-field to indexer (instead of defining it in the dedicated forwarder server with dbx), it's not clear to me what exactly the steps I should do? How does indexer know I want add additional calculated fields? Where do I need to put such props.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to mention, those existing EVAL- from other apps managed by deployment server are working fine. Only DB Connect that I configured in this dedicated box did not work as I expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked all splunk servers (search head/indexer) and can only find props.conf with EVAL- in indexer. So, I configured the dedicated heavy forwarder with dbx installed and enabled indexAndForward = true in outputs.conf. I am expecting it will do calculated field in this box before sending to splunk receiver.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
You should put this configuration of props.conf in the Search Head, not in the heavy forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfuente, Thanks for reply. Both CPU and Duration were showing up just fine. I also tried with fixed value like EVAL_test = 'test', but no such field showed up.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
