Configure calculated fields with props.conf

To create a calculated field, add a calculated field key to a new or preexisting props.conf stanza. You can find props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/. Best practices for transferring your data customizations to other search servers suggest using your own custom app directory.

Do not edit files in $SPLUNK_HOME/etc/system/default/.

For more information on configuration files, see About configuration files.

The format of a calculated field key in props.conf is:

[<stanza>]
EVAL-<field_name> = <eval statement>

<stanza> can be:
- <source type>, the source type of an event.
- host::<host>, where <host> is the host for an event.
- source::<source>, where <source> is the source for an event.

Calculated field keys must start with "EVAL-" (including the hyphen), but "EVAL" is not case-sensitive (can be "eVaL" for example).
<field_name>is case sensitive. This is consistent with all other field names in Splunk software.
<eval_statement> is as flexible as it is for the eval search command. It can be evaluated to any value type, including multivals, boolean, or null.

Calculated fields with props.conf example

Prerequisites

Review About calculated fields for more information about calculated fields.

Review this example search from the Search Reference discussion of the eval command. This example examines earthquake data and classifies quakes by their depth by creating a Description field:
```
source=eqs7day-M1.csv | eval Description=case(Depth<=70, "Shallow", Depth>70 AND Depth<=300, "Mid", Depth>300 AND Depth<=700, "Deep") | table Datetime, Region, Depth, Description
```

Steps

Using calculated fields, you could define the eval expression for the Description field in props.conf.

Create the following stanza in props.conf.

<Stanza>
Eval-Description = case(Depth<=70, "Shallow", Depth>70 AND Depth<=300, "Mid", Depth>300 AND Depth<=700, "Deep")

Rewrite the search as:

source=eqs7day-M1.csv | table Datetime, Region, Depth, Description

You can now search on Description as if it is any other extracted field. Splunk software will find the calculated field key and evaluate it for every event that contains a Depth field. You can also run searches like this:

source=eqs7day-M1.csv Description=Deep

After defining a calculated field key, Splunk software calculates the field at search time for events that have the extracted fields that appear in the eval statement. Calculated field evaluation takes place after search-time field extraction and field aliasing, but before derivation of lookup fields.