Splunk Search

How to automatically calculate an eval expression?

bugnet
Path Finder

Hi everyone,
I use the following eval expression to convert epoch time to human readable format when I search:

... | eval formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

*old_time = time in epoch format.

Is it possible to do it permanent ?
I mean- To calculation it automatically and not use all the time with the above search ?

0 Karma

bwooden
Splunk Employee
Splunk Employee

Yes, Splunk supports this via a feature called "calculated fields" in props.conf. To do this for a source type called my_custom it would look like this

[my_custom]
EVAL-formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

yannK
Splunk Employee
Splunk Employee

you can also find it in the UI under fields > calculated fields.

bugnet
Path Finder

I tried to set it under $SPLUNK_HOME/etc/apps/search/local/props.conf but no works for me 😞

0 Karma

bwooden
Splunk Employee
Splunk Employee

@bugnet, what does the props look like? You may want to implement it in the UI per yannK's comments (In "Settings" menu).

0 Karma

kheli
Path Finder

define it in props.conf

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...