Splunk Search

How to automatically calculate an eval expression?

bugnet
Path Finder

Hi everyone,
I use the following eval expression to convert epoch time to human readable format when I search:

... | eval formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

*old_time = time in epoch format.

Is it possible to do it permanent ?
I mean- To calculation it automatically and not use all the time with the above search ?

0 Karma

bwooden
Splunk Employee
Splunk Employee

Yes, Splunk supports this via a feature called "calculated fields" in props.conf. To do this for a source type called my_custom it would look like this

[my_custom]
EVAL-formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

yannK
Splunk Employee
Splunk Employee

you can also find it in the UI under fields > calculated fields.

bugnet
Path Finder

I tried to set it under $SPLUNK_HOME/etc/apps/search/local/props.conf but no works for me 😞

0 Karma

bwooden
Splunk Employee
Splunk Employee

@bugnet, what does the props look like? You may want to implement it in the UI per yannK's comments (In "Settings" menu).

0 Karma

kheli
Path Finder

define it in props.conf

0 Karma
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...