Splunk Search

Is there a way to put eval into a file to be called up as a function?

Richfez
SplunkTrust
SplunkTrust

For various dashboards and whatnot, I have a particular eval that I use quite a bit over a couple of calculated fields that generate the time-zone shifted hour and weekday of a search result. The result of this is then used for filtering, sorting, displays and all sorts of other things.

In several cases, it's something like this:

eval hr=strftime(_time, "%H") | 
eval wkday= strftime(_time, "%a")  | 
eval "Work Time" = case((wkday=="Sat" OR wkday=="Sun" OR (wkday=="Fri" AND hr>=18) OR (wkday=="Mon" AND hr<=5)), "Weekend" , (wkday=="Fri" AND hr<=17 AND hr>=6), "Friday Workday" , (hr>=18 OR hr<=5), "After Hours" , 1=1, "Regular Workday" )

The first two change, sometimes using a calculated field, sometimes using either min() or max() of a time. The last eval is static (and indeed, if I change it somewhere, it should be changed everywhere it is used to stay consistent).

Is there any way to put at least the last eval into a file to be called up like a function? Is there a way to put it into props.conf or transforms.conf to be used like that? Is there an entirely different way to handle this?

Tags (1)
1 Solution

davebrooking
Contributor

davebrooking
Contributor

This sounds like a good use of search macros, take a look at
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Usesearchmacros

Richfez
SplunkTrust
SplunkTrust

That will work spectacularly. Thanks!

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...