Splunk Cloud Platform

Knowledge Manager Manual

About calculated fields

Calculated fields are fields added to events at search time that perform calculations with the values of two or more fields already present in those events. Use calculated fields as a shortcut for performing repetitive, long, or complex transformations using the eval command.

The eval command enables you to write an expression that uses extracted fields and creates a new field that takes the value that is the result of that expression's evaluation. For more information, see eval.

Eval expressions can be complex. If you need to use a long and complex eval expression on a regular basis, retyping the expression accurately can be tedious.

Calculated fields enable you to define fields with eval expressions. When writing a search, you can cut out the eval expression and reference the field like any other extracted field. The fields are extracted at search time and added to events that include the fields in the eval expressions.

You can create calculated fields in Splunk Web and in props.conf. For information on creating calculated fields in Splunk Web, see Create calculated fields with Splunk Web. For information on creating calculated fields with props.conf, see Configure calculated fields with props.conf.

Calculated fields and the search-time operations sequence

When you run a search, Splunk software runs several operations to derive knowledge objects and apply them to events returned by the search. Splunk software performs these operations in a specific sequence.

Search-time operations order

Calculated fields come sixth in the search-time operations sequence, after field aliasing but before lookups.

Restrictions

All EVAL-<fieldname> configurations within a single props.conf stanza are processed in parallel instead of sequentially. This means you can't chain together calculated field expressions where the evaluation of one calculated field is used in the expression for the next calculated field.

Calculated fields can reference all types of field extractions. They can't reference lookups, event types, or tags.

For more information

For more information about search-time operations, see search-time operations sequence.

Creation of a calculated field on an aliased source is not supported

You can't create a calculated field that is scoped to an aliased host, source, or source type. There are other ways you can achieve a similar result using a conditional if eval function in the eval expression of calculated field. For example, say you want to create a calculated field called appLength for events with response_code=200 and sourcetype=window_app. instead of creating an alias for response_code called source and scoping the calculated field to that aliased source, you would directly filter the events in the eval expression using the if function. To do that, you would configure the calculated field in Splunk Web with Field name set to appLength and Eval expression set to if(response_code=200,len(app),null).

To use a configuration file to configure the calculated field on Splunk Enterprise, add the following stanza to your props.conf file:

[<window_app>]
EVAL-appLength = if(response_code=200,len(app),null)

See Comparison and Conditional functions in the Search Reference.

Preventing overrides of existing fields

If a calculated field has the same name as a field that has been extracted by normal means, the calculated field will override the extracted field, even if the eval statement evaluates to null. You can cancel this override with the coalesce function for eval in conjunction with the eval expression. Coalesce takes an arbitrary number of arguments and returns the first value that is not null.

If you do not want the calculated field to override existing fields when the eval statement returns a value, use:

EVAL-field = coalesce(field, <eval expression>)

If you do not want the calculated field to override existing fields when the eval statement returns null, use:

EVAL-field = coalesce(<eval expression>, field)

For more information about coalesce and other eval functions, see evaluation functions in the Search Reference.

Calculated fields independence

When Splunk software evaluates calculated fields, it evaluates each expression as if it were independent of all other fields. You cannot chain calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.

In the following example, for any individual event, the value of x is equivalent to the value of calculated field y because the two calculations are carried out independently of each other. Both expressions use the original value of x when they calculate x*2.

[<foo>]
EVAL-x = x * 2
EVAL-y = x * 2

For a specific event x=4, these calculated fields would replace the value of x with 8, and would add y=8 to the event.

Another example which involves the extracted field response_time. When it is first extracted, the value of response_time is expressed in milliseconds. Here are two calculated fields that make use of response_time in different ways.

[<access_common>]
EVAL-response_time =  response_time/1000
EVAL-bitrate = bytes*1000/response_time

In this example, two things are happening with the access_common sourcetype.

  • The first EVAL changes the value of the response_time in all sourcetype=access_common events so that it is expressed in seconds rather than milliseconds. The new "in seconds" value overrides the old "in milliseconds" value.
  • The second EVAL calculates a new field called bitrate for all sourcetype=access_common events. It is expressed in terms of bytes per second. Bytes is another extracted field.

In both calculations, response_time is initially expressed in terms of milliseconds, as both EVALs are calculated independently of the other.

Last modified on 06 October, 2023
Configure extractions of multivalue fields with fields.conf   Create calculated fields with Splunk Web

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters