Solved: Can you do a multiline eval command in a datamodel...

ebs · ‎07-27-2021

Whenever I've created eval fields before in a data model they're just a single command. Is it possible to do a multiline eval command for a field? This is what I want to make into a single field:

| eval AEST_time=_time+36000
| convert timeformat="%Y-%m-%dT%H:%M:%S.%3Q %Z" ctime(AEST_time)
| eval epoch=strptime(AEST_time, "%Y-%m-%dT%H:%M:%S.%3Q %Z")
| eval date=strftime(epoch, "%Y-%m-%d")

venkatasri · ‎07-27-2021

Hi @ebs

You shall get the same output with this, when you add something to _time it will be by default coverted to ePoch

| eval date=strftime(toNumber(_time+36000), "%Y-%m-%d")

View solution in original post

venkatasri · ‎07-27-2021

Hi @ebs

You shall get the same output with this, when you add something to _time it will be by default coverted to ePoch

| eval date=strftime(toNumber(_time+36000), "%Y-%m-%d")

ebs · ‎07-28-2021

Thanks!

Can you do a multiline eval command in a datamodel for an eval field?

calculated field

data model

field extraction

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?