Configure calculated fields with props.conf
To create a calculated field, add a calculated field key to a new or preexisting
props.conf stanza. You can find
$SPLUNK_HOME/etc/system/local/, or your own custom app directory in
$SPLUNK_HOME/etc/apps/. Best practices for transferring your data customizations to other search servers suggest using your own custom app directory.
Do not edit files in
For more information on configuration files, see About configuration files.
The format of a calculated field key in
[<stanza>] EVAL-<field_name> = <eval statement>
<source type>, the source type of an event.
<host>is the host for an event.
<source>is the source for an event.
- Calculated field keys must start with "EVAL-" (including the hyphen), but "EVAL" is not case-sensitive (can be "eVaL" for example).
<field_name>is case sensitive. This is consistent with all other field names in Splunk software.
<eval_statement>is as flexible as it is for the
evalsearch command. It can be evaluated to any value type, including multivals, boolean, or null.
Calculated fields with props.conf example
- Review About calculated fields for more information about calculated fields.
- Review this example search from the Search Reference discussion of the
evalcommand. This example examines earthquake data and classifies quakes by their depth by creating a
source=eqs7day-M1.csv | eval Description=case(Depth<=70, "Shallow", Depth>70 AND Depth<=300, "Mid", Depth>300 AND Depth<=700, "Deep") | table Datetime, Region, Depth, Description
Using calculated fields, you could define the eval expression for the
Description field in
- Create the following stanza in
<Stanza> Eval-Description = case(Depth<=70, "Shallow", Depth>70 AND Depth<=300, "Mid", Depth>300 AND Depth<=700, "Deep")
- Rewrite the search as:
source=eqs7day-M1.csv | table Datetime, Region, Depth, Description
You can now search on
Description as if it is any other extracted field. Splunk software will find the calculated field key and evaluate it for every event that contains a
Depth field. You can also run searches like this:
After defining a calculated field key, Splunk software calculates the field at search time for events that have the extracted fields that appear in the eval statement. Calculated field evaluation takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.
Create calculated fields with Splunk Web
About event types
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2303, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)
Feedback submitted, thanks!