Re: How to automatically calculate an eval express...

bugnet · ‎05-31-2015

Hi everyone,
I use the following eval expression to convert epoch time to human readable format when I search:

... | eval formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

*old_time = time in epoch format.

Is it possible to do it permanent ?
I mean- To calculation it automatically and not use all the time with the above search ?

bwooden · ‎05-31-2015

Yes, Splunk supports this via a feature called "calculated fields" in props.conf. To do this for a source type called my_custom it would look like this

[my_custom] EVAL-formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

yannK · ‎05-31-2015

you can also find it in the UI under fields > calculated fields.

bugnet · ‎06-03-2015

I tried to set it under $SPLUNK_HOME/etc/apps/search/local/props.conf but no works for me 😞

bwooden · ‎06-03-2015

@bugnet, what does the props look like? You may want to implement it in the UI per yannK's comments (In "Settings" menu).

kheli · ‎05-31-2015

define it in props.conf

How to automatically calculate an eval expression?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to automatically calculate an eval expression?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR