How to Create Calculated Fields in Splunk
Hello everyone!!
Again we have come with an interesting topic of splunk that is Calculated Fields. Calculated Fields will be added to the each and every event at time of search. Calculated Fields will perform some calculation taking one or more existing fields of the events. These fields can be used in future instead of writing eval command. Suppose you are performing a complex or long eval expression on regular basis, it will be difficult to write that eval expression everyday. So rather than that you can use a Calculated Fields instead of writing that eval expression.
You can create a new Calculated Field by taking the existing fields of events or you can override an existing field of events by a Calculated Field.
In search time operation sequence Calculated Fields come in fifth, just before the lookups and after the field aliasing. Calculated Fields can take reference of all field extraction and field aliasing but they can’t take reference of lookups, event types and tags as Calculated Field’s operation sequence is before of these(lookups, event types and tags).
For creating calculated fields you have to follow the below navigation.
Navigation :
Settings » Fields » Calculated fields » Add new
Create a Calculated Field with a new field name :
For creating Calculated field follow the navigation which is mentioned above. Give the Destination app name for which you want to create the Calculated Field. Then select a metadata upon which you want to apply . We have selected sourcetype as a metadata and also given a sourcetype called splunkd_ui_access. Then give a Name of the Calculated Field. We have given the name as status_calculated. In the Eval Expression you have to write an eval expression . We have given eval expression as status + 1000 . Here status is an existing field name in splunkd_ui_access sourcetype. After giving all those things click on Save to save the Calculated Field.
After that change the permission as global so that everyone can see this Calculated Field. Then click on Save to set the permission.
Now you can see the Calculated Field in the fields list. In the below image status is an existing field name and status_calculated is the calculated field name in _internal index and sourcetype name is splunkd_ui_access. By the table command we have taken those two fields and by dedup command we have removed duplicate values from the result set.
**********************************************************************************
Override an existing field by Calculated Field :
Below we have shown date_hour,an existing field in the _internal index and sourcetype name is splunkd_ui_access.
For creating Calculated field follow the navigation which is mentioned above. Give the Destination app name for which you want to create the Calculated Field. Then select a metadata upon which you want to apply . We have selected sourcetype as a metadata and also given a sourcetype called splunkd_ui_access. Then give a Name of the Calculated Field. We have given the name as date_hour . In the Eval Expression you have to write an eval expression . We have given eval expression as date_hour * 24 . Here date_hour is an existing field name in splunkd_ui_access sourcetype. As we have given the calculated field name same as existing field name so after saving date_hour field will be overwritten as per given eval expression. After giving all those things click on Save to save the Calculated Field.
After that change the permission as global so that everyone can see this Calculated Field. Then click on Save to set the permission.
Now you can see the Calculated Field in the fields list. In the below image date_hour is the calculated field name in _internal index and sourcetype name is splunkd_ui_access. By the table command we have taken the date_hour field and by dedup command we have removed duplicate values from the result set. As you can see date_hour field value has been overwritten as per the logic of the eval expression what we have given at time of calculated field creation.
************************************************************************************
Create a Calculated Field with Complex Eval Expression :
For creating Calculated field follow the navigation which is mentioned above. Give the Destination app name for which you want to create the Calculated Field. Then select a metadata upon which you want to apply . We have selected sourcetype as a metadata and also given a sourcetype called splunkd_ui_access. Then give a Name of the Calculated Field. We have given the name as milisecond. In the Eval Expression you have to write an eval expression. We have given eval expression as ((date_minute*60)+date_second)*1000 . Here date_minute and date_second are existing field names in splunkd_ui_access sourcetype. After giving all those things click on Save to save the Calculated Field.
After that change the permission as global so that everyone can see this Calculated Field. Then click on Save to set the permission.
Now you can see the Calculated Field in the fields list. In the below image date_minute and date_second are existing field names and milisecond is the calculated field name in _internal index and sourcetype name is splunkd_ui_access. By the table command we have taken those three fields and by dedup command we have removed duplicate values from the result set.
Hope this has helped you in achieving the below requirement without fail !!
How to Create Calculated Fields in Splunk
Happy Splunking !!
