Solved: Custom Eval Command or Custom Search Command as Ca...

snoobzilla · ‎10-03-2016

Is it possible to include a custom search command in your app as a calculated field? One that would automatically appear as part of Verbose search results?

From what I have seen/read it looks like a custom command has to be used as part of the stream of search commands, and is never an extension of eval which is what I think would be required to accomplish above.

Trying to decide whether to invest time in a custom search command vs just using a macro.

Thanks

somesoni2 · ‎10-03-2016

You're correct about the custom search commands being not available for eval function. I would go with macro if that's possible.

View solution in original post

somesoni2 · ‎10-03-2016

You're correct about the custom search commands being not available for eval function. I would go with macro if that's possible.

snoobzilla · ‎10-17-2016

That answers my question. It is not ideal for my use case though.

rjthibod · ‎10-03-2016

I am confused by what you are asking. The fields that appear on the left-hand side of Verbose search results are fields extracted at search-time. Those are most often set in props.conf of an app.

So are you asking for help with a search-time calculated field or do you mean an actual custom search (SPL) command? The latter can be included in an app, but takes a few steps.

Custom Eval Command or Custom Search Command as Calculated Field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation