Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is the usage of multiple eval calculations in one pipe a feature or an unsupported hack?

HeinzWaescher
Motivator
‎06-19-2017 06:21 AM

Hi,

I did not know that it is possible:

| makeresults
| eval fieldA=123, fieldB=456, fieldC=789

I assume that this is better for search performance than 

| makeresults
| eval fieldA=123
| eval fieldB=456
| eval fieldC=789

Is the first example a feature or an unsupported hack that should not be used? I've never seen it before.

Cheers

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎06-19-2017 06:24 AM

The first example was supported starting in version 6.4 of Splunk.

I have never heard of there being a performance gain by using the first method over the second method, so I always stick to the second method for backwards compatibility and readability.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-19-2017 06:45 AM

I am unaware of any performance difference but both are value. I think the latter is generally more readable because the Right-Hand-Side tends to be long and busy and people don't expect other evals to be "over there".

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-19-2017 06:45 AM

I am unaware of any performance difference but both are value. I think the latter is generally more readable because the Right-Hand-Side tends to be long and busy and people don't expect other evals to be "over there".

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎06-19-2017 06:24 AM

The first example was supported starting in version 6.4 of Splunk.

I have never heard of there being a performance gain by using the first method over the second method, so I always stick to the second method for backwards compatibility and readability.

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-19-2017 06:44 AM

though, if you do have a lot of evals that are doing the same thing, i believe that foreach has a performance gain.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎06-20-2017 04:37 AM

Readability is definitely the point why I would to stick to the second method as well. So I'm happy that there is no performance boost of the the other approach 🙂

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...