Solved: Is there a way to put eval into a file to be calle...

Richfez · ‎07-17-2014

For various dashboards and whatnot, I have a particular eval that I use quite a bit over a couple of calculated fields that generate the time-zone shifted hour and weekday of a search result. The result of this is then used for filtering, sorting, displays and all sorts of other things.

In several cases, it's something like this:

eval hr=strftime(_time, "%H") | 
eval wkday= strftime(_time, "%a")  | 
eval "Work Time" = case((wkday=="Sat" OR wkday=="Sun" OR (wkday=="Fri" AND hr>=18) OR (wkday=="Mon" AND hr<=5)), "Weekend" , (wkday=="Fri" AND hr<=17 AND hr>=6), "Friday Workday" , (hr>=18 OR hr<=5), "After Hours" , 1=1, "Regular Workday" )

The first two change, sometimes using a calculated field, sometimes using either min() or max() of a time. The last eval is static (and indeed, if I change it somewhere, it should be changed everywhere it is used to stay consistent).

Is there any way to put at least the last eval into a file to be called up like a function? Is there a way to put it into props.conf or transforms.conf to be used like that? Is there an entirely different way to handle this?

davebrooking · ‎07-17-2014

This sounds like a good use of search macros, take a look at
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Usesearchmacros

View solution in original post

davebrooking · ‎07-17-2014

This sounds like a good use of search macros, take a look at
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Usesearchmacros

Richfez · ‎07-17-2014

That will work spectacularly. Thanks!

Is there a way to put eval into a file to be called up as a function?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!