Splunk > Calculated Fields [Dodge monotonous tasks]

Sunny B. Sunny B.

Sunny B.

Technical Specialist | AWS Community Builder . Kubernetes(CKA & CKAD) . AWS(CSAA) . Azure . GCP . Linux(RHCSA) . IaC (ARM, Bicep, Terraform) . Helm . Docker . Splunk . MongoDB . ITIL

发布日期: 2019年10月22日
+ 关注

These are the ones(newly created field) which are added to the events at search time and are generated by the calculation of one or more field values that are already present in the events. This is a sort of shortcut to perform repetitive eval calculations.

Where to create one??

Settings => Fields => Calculated Fields

Few things to remember while creating a calculated field:

  • Make sure the "Destination app" is selected appropriately (to limit the scope of the calculated field).
  • It can be applied to either source or sourcetype or host but make sure * is not used instead, specify a value over there.
  • Give a unique name, this would be the name of the newly created field (after the calculations are made).
  • Eval statement, make sure to specify just the part where calculations are happening i.e. if you are looking for changing seconds to milliseconds instead of writing all this "| eval RT_MilliSecs = round((RT * 1000),3)" just type in "round((RT * 1000),3)".

Once all the values are entered appropriately just Save, it will create a new calculated field with the name as APPLY_TO::NAMED : EVAL-NAME

And instead of writing the whole chunk of SPL / EVAL statement:

No alt text provided for this image

Once we have the calculated field in place, just type in below much smaller SPL:

=> "source::FE-Logs : EVAL-Secs to MilliSecs"

No alt text provided for this image
No alt text provided for this image

#Splunk #StudySplunk #Happy #Learning #Tips #LearningNeverStops #Education #EdTech #Calculated #Fields

要查看或添加评论,请登录

Sunny B.的更多文章

  • Splunk > Workflow actions [Make search more compelling and fun]
    2020年11月23日

    Splunk > Workflow actions [Make search more compelling and fun]

    If you are looking for making your search more compelling and fun, these workflow actions can come really handy!! What…

    2 条评论
  • Kubernetes > Cluster creation via kubeadm
    2020年1月15日

    Kubernetes > Cluster creation via kubeadm

    The below procedure will help you to create a Kubernetes Cluster with the help of kubeadm command-line utility…

    1 条评论
  • Splunk > Event annotations [Add real-time context to graphs]
    2019年12月8日

    Splunk > Event annotations [Add real-time context to graphs]

    If you are looking to make your graphs more compelling and dynamic then this feature of Splunk called “Event…

  • Splunk > Lookups [Make your data more fruitful]
    2019年10月10日

    Splunk > Lookups [Make your data more fruitful]

    Here comes another useful knowledge object which Splunk has and that's called lookup, basically if you are looking to…

  • Splunk > Macro [Comes 2 rescue]
    2019年9月25日

    Splunk > Macro [Comes 2 rescue]

    Macro, it is a very common terminology and is used in many IT applications or software's and luckily same is the case…

    2 条评论
  • Splunk > Commands [Quick reference guide]
    2019年9月21日

    Splunk > Commands [Quick reference guide]

    TOP: Will show you top results with respect to your field. Example: index=_internal | top limit=5 component RARE: Will…

    1 条评论
  • Splunk > How it made a difference
    2019年9月21日

    Splunk > How it made a difference

    I like to solve problems and throughout my career, my main focus was/is to find answers to most acute concerns. When I…

    4 条评论

社区洞察

其他会员也浏览了