Splunk Search

Is there a way to put eval into a file to be called up as a function?

Richfez
SplunkTrust
SplunkTrust

For various dashboards and whatnot, I have a particular eval that I use quite a bit over a couple of calculated fields that generate the time-zone shifted hour and weekday of a search result. The result of this is then used for filtering, sorting, displays and all sorts of other things.

In several cases, it's something like this:

eval hr=strftime(_time, "%H") | 
eval wkday= strftime(_time, "%a")  | 
eval "Work Time" = case((wkday=="Sat" OR wkday=="Sun" OR (wkday=="Fri" AND hr>=18) OR (wkday=="Mon" AND hr<=5)), "Weekend" , (wkday=="Fri" AND hr<=17 AND hr>=6), "Friday Workday" , (hr>=18 OR hr<=5), "After Hours" , 1=1, "Regular Workday" )

The first two change, sometimes using a calculated field, sometimes using either min() or max() of a time. The last eval is static (and indeed, if I change it somewhere, it should be changed everywhere it is used to stay consistent).

Is there any way to put at least the last eval into a file to be called up like a function? Is there a way to put it into props.conf or transforms.conf to be used like that? Is there an entirely different way to handle this?

Tags (1)
1 Solution

davebrooking
Contributor

davebrooking
Contributor

This sounds like a good use of search macros, take a look at
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Usesearchmacros

Richfez
SplunkTrust
SplunkTrust

That will work spectacularly. Thanks!

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...