Configure calculated fields with props.conf
To create a calculated field, add a calculated field key to a new or preexisting props.conf
stanza. You can find props.conf
in $SPLUNK_HOME/etc/system/local/
, or your own custom app directory in $SPLUNK_HOME/etc/apps/
. Best practices for transferring your data customizations to other search servers suggest using your own custom app directory.
Do not edit files in $SPLUNK_HOME/etc/system/default/
.
For more information on configuration files, see About configuration files.
The format of a calculated field key in props.conf
is:
[<stanza>] EVAL-<field_name> = <eval statement>
<stanza>
can be:<source type>
, the source type of an event.host::<host>
, where<host>
is the host for an event.source::<source>
, where<source>
is the source for an event.
- Calculated field keys must start with "EVAL-" (including the hyphen), but "EVAL" is not case-sensitive (can be "eVaL" for example).
<field_name>
is case sensitive. This is consistent with all other field names in Splunk software.<eval_statement>
is as flexible as it is for theeval
search command. It can be evaluated to any value type, including multivals, boolean, or null.
Calculated fields with props.conf example
Prerequisites
- Review About calculated fields for more information about calculated fields.
- Review this example search from the Search Reference discussion of the
eval
command. This example examines earthquake data and classifies quakes by their depth by creating aDescription
field:source=eqs7day-M1.csv | eval Description=case(Depth<=70, "Shallow", Depth>70 AND Depth<=300, "Mid", Depth>300 AND Depth<=700, "Deep") | table Datetime, Region, Depth, Description
Steps
Using calculated fields, you could define the eval expression for the Description
field in props.conf
.
- Create the following stanza in
props.conf
.<Stanza> Eval-Description = case(Depth<=70, "Shallow", Depth>70 AND Depth<=300, "Mid", Depth>300 AND Depth<=700, "Deep")
- Rewrite the search as:
source=eqs7day-M1.csv | table Datetime, Region, Depth, Description
You can now search on Description
as if it is any other extracted field. Splunk software will find the calculated field key and evaluate it for every event that contains a Depth
field. You can also run searches like this:
source=eqs7day-M1.csv Description=Deep
After defining a calculated field key, Splunk software calculates the field at search time for events that have the extracted fields that appear in the eval statement. Calculated field evaluation takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.
Create calculated fields with Splunk Web | About event types |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!