Splunk Search

Custom Eval Command or Custom Search Command as Calculated Field?

snoobzilla
Builder

Is it possible to include a custom search command in your app as a calculated field? One that would automatically appear as part of Verbose search results?

From what I have seen/read it looks like a custom command has to be used as part of the stream of search commands, and is never an extension of eval which is what I think would be required to accomplish above.

Trying to decide whether to invest time in a custom search command vs just using a macro.

Thanks

1 Solution

somesoni2
SplunkTrust
SplunkTrust

You're correct about the custom search commands being not available for eval function. I would go with macro if that's possible.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You're correct about the custom search commands being not available for eval function. I would go with macro if that's possible.

0 Karma

snoobzilla
Builder

That answers my question. It is not ideal for my use case though.

0 Karma

rjthibod
Champion

I am confused by what you are asking. The fields that appear on the left-hand side of Verbose search results are fields extracted at search-time. Those are most often set in props.conf of an app.

So are you asking for help with a search-time calculated field or do you mean an actual custom search (SPL) command? The latter can be included in an app, but takes a few steps.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...