Splunk Search

My eval statement works in the Search App, but why does it not work when it is created via Settings, Fields, Calculated Field or via props.conf?

lyanta
Explorer

I'm able to create the following calculated field in the Search app.

.... | eval KCQueueDuration = (strptime(KCQStartDate." ".KCQStartTime, "%Y-%m-%d %H:%M:%S")) - (strptime(KCQEndDate." ".KCQEndTime, "%Y-%m-%d %H:%M:%S"))

However, I'm not able to get it to work when I create this field using the Splunk Web App (Settings->Fields->Calculated Fields) or editing the props.conf file. The field doesn't show up in the list of interesting fields, when I just search for all events for the source type. If I use this process to create a calculated field that just contains 1 of the strptime functions, it appears in the list of interesting fields.

Below is an example of the event data.
KCUID=905252z911311o,KCQStartDate=2016-01-06,KCQStartTime=15:19:46,KCQEndDate=2016-01-06,KCQEndTime=15:19:48

I couldn't find anything indicating that this expression is invalid in props.conf. Is this a known limitation of calculated fields in props.conf?

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

I just tried this and it worked for me

EVAL-KCQueueDuration = (strptime(KCQStartDate." ".KCQStartTime, "%Y-%m-%d %H:%M:%S") - strptime(KCQEndDate." ".KCQEndTime, "%Y-%m-%d %H:%M:%S"))

View solution in original post

0 Karma

sundareshr
Legend

I just tried this and it worked for me

EVAL-KCQueueDuration = (strptime(KCQStartDate." ".KCQStartTime, "%Y-%m-%d %H:%M:%S") - strptime(KCQEndDate." ".KCQEndTime, "%Y-%m-%d %H:%M:%S"))
0 Karma

lyanta
Explorer

I tried your expression, and it also worked for me. It was one of the expression permutations I didn't think of trying.

Thanks for your help resolving this issue.

0 Karma

lguinn2
Legend

Perhaps it is a permissions problem? In which app did you create the calculated field and what are its permissions?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Most likely its an ordering-of-the-knowledge-objects issue. Are any of the fields in your calculated field coming from an alias or lookup?

lyanta
Explorer

The fields in the calculated field expression are not alias or lookup fields. If I create a calculated field that just contains: strptime(KCQStartDate." ".KCQStartTime, "%Y-%m-%d %H:%M:%S"), it works. Likewise, it works if I create a calculated field with just strptime(KCQEndDate." ".KCQEndTime, "%Y-%m-%d %H:%M:%S"), it works.

The calculated field doesn't work when I tried to combine the 2 expressions to calculate a duration value.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...