eval
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
eval
Synopsis
Calculates an expression and puts the resulting value into a field.
Syntax
eval eval-field=eval-expression
Arguments
- eval-field
- Syntax: <string>
- Description: A name for the field that will hold your evaluated value.
- eval-expression
- Syntax: <string>
- Description: A combination of values, variables, operators, and functions that represent the value of your destination field.
Operators
The following table lists the basic operations you can perform with eval. For these evaluations to work, your values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. When concatenating values, Splunk reads the values as strings (regardless of their value).
| Type | Operators |
|---|---|
| Arithmetic | + - * / %
|
| Concatenation | .
|
| Boolean | AND OR NOT XOR < > <= >= != = == LIKE
|
Functions
The eval command includes the following functions: abs(), case(), cidrmatch(), coalesce(), exact(), exp(), floor(), if(), ifnull(), isbool(), isint(), isnotnull(), isnull(), isnum(), isstr(), len(), like(), ln(), log(), lower(), ltrim(), match(), max(), min(), md5(), mvcount(), mvindex(), mvfilter(), now(), null(), nullif(), pi(), pow(), random(), replace(), round(), rtrim(), searchmatch(), sqrt(), substr(), tostring(), trim(), typeof(), upper(), urldecode(), validate().
For descriptions and examples of each function, see "Functions for eval and where".
Description
Performs an arbitrary expression evaluation, providing mathematical, string, and boolean operations. The results of eval are written to a specified destination field, which can be a new or existing field. If the destination field exists, the values of the field are replaced by the results of eval. The syntax of the expression is checked before running the search, and an exception will be thrown for an invalid expression. For example, the result of an eval statement is not allowed to be boolean. If search time evaluation of the expression is unsuccessful for a given event, eval erases the value in the result field.
Examples
Example 1: Set velocity to distance / time.
... | eval velocity=distance/timeExample 2: Set status to OK if error is 200; otherwise, Error.
... | eval status = if(error == 200, "OK", "Error")Example 3: Set lowuser to the lowercase version of username.
... | eval lowuser = lower(username)Example 4: Set sum_of_areas to be the sum of the areas of two circles
... | eval sum_of_areas = pi() * pow(radius_a, 2) + pi() * pow(radius_b, 2)Example 5: Set status to some simple http error codes.
... | eval error_msg = case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")Example 6: Set full_name to the concatenation of first_name, a space, and last_name.
... | eval full_name = first_name." ".last_nameSearchExample 7: Display timechart of the avg of cpu_seconds by processor rounded to 2 decimal places.
... | timechart eval(round(avg(cpu_seconds),2)) by processorExample 8: Convert a numeric field value to a string with commas and 2 decimal places. If the original value of x is 1000000, this returns x as 1,000,000.00.
... | eval x=tostring(x,"commas")This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.