Hi
I have a dashboard which shows metrics for an API. It has a graph for response times, tables for min max average response times etc.
All the searches for these graphs includes the same eval function which groups endpoints where a variable is part of the endpoint. For example this :
index=api
| eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address")
| stats Count, min(executiontime), max(executiontime), avg(executiontime), stdev(executiontime) by endpoint
The above "eval endpoint ....." is used in all the dashboard panel searches.
Can it be extracted so I don't have to maintain the same eval in multiple searches?
@SimonKof, you can create a Calculated field for your eval to reuse the same. Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/definecalcfields
Hi niketnilay
Thank you for the hint. I can't really understand how calculated fields are used.
When i go to "Calculated fields" -> "Add new" i know what to enter for destination, apply to, named and name. But what should the expression be?
It's difficult for me to find examples on this.