The Spell Book • Room 3

Calculated Fields

**Calculated Fields** are eval expressions defined in `transforms.conf` or via the UI (Settings > Fields > Calculated Fields).

They automatically execute at search-time, adding new computed fields to every event that matches the specified sourcetype.

Example: Automatically calculating `duration_minutes` from a `duration_seconds` field.

Calculated Field Definition

Sourcetype: access_combined
Output Field: response_time_ms
Expression: response_time * 1000

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write an eval expression that creates a calculated field called "size_mb" by dividing "bytes" by 1048576.

Splunk Search Bar