Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

About calculated fields

Calculated fields are fields added to events at search time that perform calculations with the values of two or more fields already present in those events. Use calculated fields as a shortcut for performing repetitive, long, or complex transformations using the eval command.

The eval command enables you to write an expression that uses extracted fields and creates a new field that takes the value that is the result of that expression's evaluation. For more information, see eval.

Eval expressions can be complex. If you need to use a long and complex eval expression on a regular basis, retyping the expression accurately can be tedious.

Calculated fields enable you to define fields with eval expressions. When writing a search, you can cut out the eval expression and reference the field like any other extracted field. The fields are extracted at search time and added to events that include the fields in the eval expressions.

You can create calculated fields in Splunk Web and in props.conf. For information on creating calculated fields in Splunk Web, see Create calculated fields with Splunk Web. For information on creating calculated fields with props.conf, see Configure calculated fields with props.conf.

Calculated fields and the search-time operations sequence

When you run a search, Splunk software runs several operations to derive knowledge objects and apply them to events returned by the search. Splunk software performs these operations in a specific sequence.

Search-time operations order

Calculated fields come fifth in the search-time operations sequence, after field aliasing but before lookups.

Restrictions

All EVAL-<fieldname> configurations within a single props.conf stanza are processed in parallel, rather than in any particular sequence. This means you cannot "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.

Calculated fields can reference all types of field extractions and field aliasing, but they cannot reference lookups, event types, or tags.

For more information

For more information about search-time operations, see search-time operations sequence.

Preventing overrides of existing fields

If a calculated field has the same name as a field that has been extracted by normal means, the calculated field will override the extracted field, even if the eval statement evaluates to null. You can cancel this override with the coalesce function for eval in conjunction with the eval expression. Coalesce takes an arbitrary number of arguments and returns the first value that is not null.

If you do not want the calculated field to override existing fields when the eval statement returns a value, use:

EVAL-field = coalesce(field, <eval expression>)

If you do not want the calculated field to override existing fields when the eval statement returns null, use:

EVAL-field = coalesce(<eval expression>, field)

For more information about coalesce and other eval functions, see evaluation functions in the Search Reference.

Calculated fields independence

When Splunk software evaluates calculated fields, it evaluates each expression as if it were independent of all other fields. You cannot chain calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.

In the following example, for any individual event, the value of x is equivalent to the value of calculated field y because the two calculations are carried out independently of each other. Both expressions use the original value of x when they calculate x*2.

[<foo>]
EVAL-x = x * 2
EVAL-y = x * 2

For a specific event x=4, these calculated fields would replace the value of x with 8, and would add y=8 to the event.

Another example which involves the extracted field response_time. When it is first extracted, the value of response_time is expressed in milliseconds. Here are two calculated fields that make use of response_time in different ways.

[<access_common>]
EVAL-response_time =  response_time/1000
EVAL-bitrate = bytes*1000/response_time

In this example, two things are happening with the access_common sourcetype.

  • The first EVAL changes the value of the response_time in all sourcetype=access_common events so that it is expressed in seconds rather than milliseconds. The new "in seconds" value overrides the old "in milliseconds" value.
  • The second EVAL calculates a new field called bitrate for all sourcetype=access_common events. It is expressed in terms of bytes per second. Bytes is another extracted field.

In both calculations, response_time is initially expressed in terms of milliseconds, as both EVALs are calculated independently of the other.

PREVIOUS
Configure multivalue fields with fields.conf
  NEXT
Create calculated fields with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters