Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I reuse multiple eval statements in multiple dashboards without recoding in every one?

pxs0514
Explorer
‎12-19-2016 10:29 AM

I have a series of eval statements that I'd like to call from multiple dashboards, but have it coded in only one place for ease of maintenance. Below are the statements I need that do calculations differently based on the date. What's the best way to accomplish this?

| eval timecheck=substr(DATETIME,1,10) |  eval current_epoch = strptime(timecheck,"%Y-%m-%d")     
                |  eval Upgrade_Date=strptime("2017-01-22","%Y-%m-%d")                                                      <!-- Date of CPU Upgrade  -->
                |  eval current_mips = if(current_epoch>=Upgrade_Date,3322,3400)                                           <!-- NewMIPS,OldMIPS -->
                |  eval current_cps = if(current_epoch>=Upgrade_Date,5400,4500)                                             <!-- NewCPs,OldCPs -->
                |  eval MipsGP = cpusecs / current_cps *current_mips                                                <!-- GP secs / gpMips * secs avail -->
                | eval MipsGP=round(MipsGP,1)
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-19-2017 06:57 AM

HI @pxs0514,

You can define all evals in a macro and use it in search of multiple dashboards. By using macro you can manage eval calculations from one place.

Check below Link:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Searchmacroexamples

Let me know if any assistance.

Thanks
Kamlesh

0 Karma
Reply

nabeel652
Builder
‎12-19-2016 07:27 PM

Use calculated fields.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/definecalcfields

0 Karma
Reply

woodcock
Esteemed Legend
‎12-19-2016 10:48 AM

You have several options:

1: Make the field extractions automatic for every search on this sourcetype (using props.conf and tranforms.conf)
2: Put them into a macro and call the macro.
3: Put them into a base search inside the dashboard and use post-process searches in the panels (may not work depending on your searches).

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...