split function in calculated fields

AlexeyNL · ‎10-28-2013

When i try to save in Splunk Web calculated fields that contains split function i have a "Encountered the following error while trying to save: In handler 'props-eval': Bad function" message.
Why i can't use this function in calculated fields?
There is no word about this limitation here in Splunk Documentation,
Examples of Eval expression that are not working:

split(anyfield,";")

or

split("x:x",":")

But in conjunction with eval in Search these are working fine.

Splunk Version............................................6.0
Splunk Build............................................182037

joebensimo · ‎03-11-2014

This appears to only be a limitation in the user interface. I have successfully added (and use) calculated fields that use split by directly adding them to a props.conf file.

For example:

[source::users*ly]
EVAL-userid = split(userid," ")

joebensimo · ‎03-09-2014

I too am having this problem when I use split is calculated fields. Eg: split(field," ")

mklunder · ‎12-14-2013

I have also encountered the same issue. In my case I am adding the eval below in the web UI (6.0).

Expression:
mvcount( SPLIT(nodes, ",") )

Returns:
Encountered the following error while trying to save: In handler 'props-eval': Bad function

alacercogitatus · ‎10-28-2013

Can you edit and put your calculated input definition?

split function in calculated fields

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...