Splunk Search

Is the usage of multiple eval calculations in one pipe a feature or an unsupported hack?

HeinzWaescher
Motivator

Hi,

I did not know that it is possible:

| makeresults
| eval fieldA=123, fieldB=456, fieldC=789

I assume that this is better for search performance than

| makeresults
| eval fieldA=123
| eval fieldB=456
| eval fieldC=789

Is the first example a feature or an unsupported hack that should not be used? I've never seen it before.

Cheers

0 Karma
1 Solution

rjthibod
Champion

The first example was supported starting in version 6.4 of Splunk.

I have never heard of there being a performance gain by using the first method over the second method, so I always stick to the second method for backwards compatibility and readability.

View solution in original post

woodcock
Esteemed Legend

I am unaware of any performance difference but both are value. I think the latter is generally more readable because the Right-Hand-Side tends to be long and busy and people don't expect other evals to be "over there".

woodcock
Esteemed Legend

I am unaware of any performance difference but both are value. I think the latter is generally more readable because the Right-Hand-Side tends to be long and busy and people don't expect other evals to be "over there".

rjthibod
Champion

The first example was supported starting in version 6.4 of Splunk.

I have never heard of there being a performance gain by using the first method over the second method, so I always stick to the second method for backwards compatibility and readability.

cmerriman
Super Champion

though, if you do have a lot of evals that are doing the same thing, i believe that foreach has a performance gain.

0 Karma

HeinzWaescher
Motivator

Readability is definitely the point why I would to stick to the second method as well. So I'm happy that there is no performance boost of the the other approach 🙂

Thanks

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...