How to automatically calculate an eval expression?

bugnet · ‎05-31-2015

Hi everyone,
I use the following eval expression to convert epoch time to human readable format when I search:

... | eval formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

*old_time = time in epoch format.

Is it possible to do it permanent ?
I mean- To calculation it automatically and not use all the time with the above search ?

bwooden · ‎05-31-2015

Yes, Splunk supports this via a feature called "calculated fields" in props.conf. To do this for a source type called my_custom it would look like this

[my_custom] EVAL-formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")

yannK · ‎05-31-2015

you can also find it in the UI under fields > calculated fields.

bugnet · ‎06-03-2015

I tried to set it under $SPLUNK_HOME/etc/apps/search/local/props.conf but no works for me 😞

bwooden · ‎06-03-2015

@bugnet, what does the props look like? You may want to implement it in the UI per yannK's comments (In "Settings" menu).

kheli · ‎05-31-2015

define it in props.conf

How to automatically calculate an eval expression?

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >