Solved: Is there a way for one calculated field to pull da...

akawacz · ‎11-24-2015

Hello

Is there a way that one calculated field can pull data from another calculated field?

I have created 2 calculated fields Fields » Calculated fields. One based on the other.

e.g

FirstOne= "A"
SecondOne=FirstOne."A"

After doing this in Splunk Web, that is not possible. Maybe there is a way to set up this in conf files?

thank you

HeinzWaescher · ‎11-24-2015

The documentation says that this is not possible:

When Splunk Enterprise evaluates calculated fields, it evaluates each expression as if it were independent of all of the others. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/definecalcfields

View solution in original post

HeinzWaescher · ‎11-24-2015

The documentation says that this is not possible:

When Splunk Enterprise evaluates calculated fields, it evaluates each expression as if it were independent of all of the others. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/definecalcfields

Sebastian2 · ‎11-24-2015

This should do:

 ...  | eval foo=4 | eval bar=foo+4

The "trick" is to complete calculation of the first fields before using it in another since there is no specific order in which fields are calculated.

akawacz · ‎11-24-2015

I was more referring to set up caclulated fields in Fields » Calculated fields not in the search.

Is there a way for one calculated field to pull data from another calculated field?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases