Search Reference

 


Functions for eval and where

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Functions for eval and where

These are functions that you can use with the eval and where commands and as part of eval expressions.

Note: The time functions, strptime(), strftime(), and relative_time(), don't work with multivalue fields.

Function Description Example(s)
abs(X) This function takes a number X and returns its absolute value. This example returns the absnum, whose values are the absolute values of the numeric field number:

... | eval absnum=abs(number)

case(X,"Y",...) This function takes pairs of arguments X and Y. X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. The function defaults to NULL if none are true. This example returns descriptions for the corresponding http status code:

... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

ceil(X), ceiling(X) This function returns the ceiling of a number X. This example returns n=2:

... | eval n=ceil(1.9)

cidrmatch("X",Y) This function identifies IP addresses that belong to a particular subnet. The function uses two arguments: the first is the CIDR subnet, which is contained in quotes; the second is the IP address to match, which may be values in a field. This example returns a field, addy, whose values are the IP addresses in the field ip that match the subnet:

... | eval addy=cidrmatch("123.132.32.0/25",ip)

coalesce(X,...) This function takes an arbitrary number of arguments and returns the first value that is not null. Let's say you have a set of events where the IP address is extracted to either clientip or ipaddress. This example defines a new field called ip, that takes the value of either clientip or </code>ipaddress</code>, depending on which is not NULL (exists in that event):

... | eval ip=coalesce(clientip,ipaddress)

commands(X) This function takes a search string, or field that contains a search string, X and returns a multivalued field containing a list of the commands used in X. (This is generally not recommended for use except for analysis of audit.log events.) ... | eval x=commands("search foo | stats count | sort count")

returns a multivalue field x, that contains 'search', 'stats', and 'sort'.

exact(X) This function evaluates an expression X using double precision floating point arithmetic. ... | eval n=exact(3.14 * num)
exp(X) This function takes a number X and returns eX. This example returns y=e3:

... | eval y=exp(3)

floor(X) This function returns the floor of a number X. This example returns 1:

... | eval n=floor(1.9)

if(X,Y,Z) This function takes three arguments. The first argument X is a Boolean expression. If X evaluates to TRUE, the result is the second argument Y. If X evaluates to FALSE, the result evaluates to the third argument Z. This example looks at the values of error and returns err=OK if error=200, otherwise returns err=Error:

... | eval err=if(error == 200, "OK", "Error")

isbool(X) This function takes one argument X and returns TRUE if X is Boolean. ... | eval n=if(isbool(field),"yes","no")

or

... | where isbool(field)

isint(X) This function takes one argument X and returns TRUE if X is an integer. ... | eval n=isint(field)

or

... | where isint(field)

isnotnull(X) This function takes one argument X and returns TRUE if X is not NULL. This is a useful check for whether or not a field (X) contains a value. ... | eval n=if(isnotnull(field),"yes","no")

or

... | where isnotnull(field)

isnull(X) This function takes one argument X and returns TRUE if X is NULL. ... | eval n=if(isnull(field),"yes","no")

or

... | where isnull(field)

isnum(X) This function takes one argument X and returns TRUE if X is a number. ... | eval n=if(isnum(field),"yes","no")

or

... | where isnum(field)

isstr() This function takes one argument X and returns TRUE if X is a string. ... | eval n=if(isstr(field),"yes","no")

or

... | where isstr(field)

len(X) This function returns the character length of a string X. ... | eval n=len(field)
len(X) This function returns the character length of a string X. ... | eval n=len(field)
like(X,"Y") This function takes two arguments, a field X and a quoted string Y, and returns TRUE if and only if the first argument is like the SQLite pattern in Y. This example returns islike=TRUE if the field value starts with foo:

... | eval islike=like(field,"foo%")

or

... | where like(field,"foo%")

ln(X) This function takes a number X and returns its natural log. This example returns the natural log of the values of bytes:

... | eval lnBytes=ln(bytes)

log(X,Y) This function takes either one or two numeric arguments and returns the log of the first argument X using the second argument Y as the base. If the second argument Y is omitted, this function evaluates the log of number X with base 10. ... | eval num=log(number,2)
lower(X) This function takes one string argument and returns the lowercase version. The upper() function also exists for returning the uppercase version. This example returns the value provided by the field username in lowercase.

... | eval username=lower(username)

ltrim(X,Y) This function takes one or two string arguments X and Y and returns X with the characters in Y trimmed from the left side. If Y is not specified, spaces and tabs are trimmed. This example returns x="abcZZ":

... | eval x=ltrim(" ZZZZabcZZ ", " Z")

match(X,Y) This function compares the regex string Y to the value of X and returns a Boolean value; it returns T (true) if X matches the pattern defined by Y. This example returns true IF AND ONLY IF field matches the basic pattern of an IP address. Note that the example uses ^ and $ to perform a full match.

... | eval n=match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")

max(X,...) This function takes an arbitrary number of arguments X, that is numbers or strings, and returns the max; strings are greater than numbers. This example returns either "foo" or field, depending on the value of field:

... | eval n=max(1, 3, 6, 7, "f"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")oo", field)

md5(X) This function computes and returns the MD5 hash of a string value X. ... | eval n=md5(field)
min(X,...) This function takes an arbitrary number of arguments X, that is numbers or strings, and returns the min; strings are greater than numbers. This example returns 1:

... | eval n=min(1, 3, 6, 7, "f"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")oo", field)

mvappend(X,"Y",Z) This function takes three arguments, fields X and Z and a quoted string Y, and returns a multivalued result. The value of Y and the values of the field Z are appended to the values of field X. The fields X and Z can be either multi or single valued fields.
mvcount(X) This function takes an field X and returns the number of values of that field if the field is multivalued, 1 if the field is single valued, and NULL otherwise. ... | eval n=mvcount(multifield)
mvfilter(X) This function filters a multi-valued field based on an arbitrary Boolean expression X. The Boolean expression X can reference ONLY ONE field at a time.

Note:This function will return NULL values of the field x as well. If you don't want the NULL values, use the expression: mvfilter(x!=NULL).

This example returns all values of the field email that end in .net or .org:

... | eval n=mvfilter(match(email, "\.net$") OR match(email, "\.org$"))

mvfind(X,"Y") Appears in 4.2.2. This function tries to find a value in multivalued field X that matches the regular expression Y. If a match exists, the index of the first matching value is returned (beginning with zero). If no values match, NULL is returned. ... | eval n=mvfind(mymvfield, "err\d+")
mvindex(X,Y,Z) This function takes two or three arguments, field X and numbers Y and Z, and returns a subset of the multivalued field using the indexes provided.

For mvindex(mvfield, startindex, [endindex]), endindex is inclusive and optional; both startindex and endindex can be negative, where -1 is the last element. If endindex is not specified, it returns just the value at startindex. If the indexes are out of range or invalid, the result is NULL.

Since indexes start at zero, this example returns the third value in "multifield", if it exists:

... | eval n=mvindex(multifield, 2)

mvjoin(X,Y) This function takes two arguments, multi-valued field X and string delimiter Y, and joins the individual values of X using Y. This example joins together the individual values of "foo" using a semicolon as the delimiter:

... | eval n=mvjoin(foo, ";")

mvzip(X,Y) This function takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, etc. Similar to Python's zip command. ... | eval n=server=mvzip(hosts,ports)
now() This function takes no arguments and returns the time that the search was started. The time is represented in Unix time or seconds since epoch.
null() This function takes no arguments and returns NULL. The evaluation engine uses NULL to represent "no value"; setting a field to NULL clears its value.
nullif(X,Y) This function takes two arguments, fields X and Y, and returns the X if the arguments are different. It returns NULL, otherwise. ... | eval n=nullif(fieldA,fieldB)
pi() This function takes no arguments and returns the constant pi to 11 digits of precision.
pow(X,Y) This function takes two numeric arguments X and Y and returns XY.
random() This function takes no arguments and returns a pseudo-random number ranging from zero to 231-1, for example: 0…2147483647
relative_time(X,Y) This function takes an epochtime time, X, as the first argument and a relative time specifier, Y, as the second argument and returns the epochtime value of Y applied to X. ... | eval n=relative_time(now(), "-1d@d")
replace(X,Y,Z) This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex. This example returns date with the month and day numbers switched, so if the input was 1/12/2009 the return value would be 12/1/2009:

... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")

round(X,Y) This function takes one or two numeric arguments X and Y, returning X rounded to the amount of decimal places specified by Y. The default is to round to an integer. This example returns n=4:

... | eval n=round(3.5)

This example returns n=2.56:

... | eval n=round(2.555, 2)

rtrim(X,Y) This function takes one or two string arguments X and Y and returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are trimmed. This example returns n="ZZZZabc":

... | eval n=rtrim(" ZZZZabcZZ ", " Z")

searchmatch(X) This function takes one argument X, which is a search string. The function returns true IF AND ONLY IF the event matches the search string. ... | eval n=searchmatch("foo AND bar")
sigfig(X) This function takes one argument X, a number, and rounds that number to the appropriate number of significant figures. 1.00*1111 = 1111, but

... | eval n=sigfig(1.00*1111)

returns n=1110.

spath(X,Y) This function takes two arguments: an input source field X and an spath expression Y, that is the XML or JSON formatted location path to the value that you want to extract from X. If Y is a literal string, it needs quotes, spath(X,"Y"). If Y is a field name (with values that are the location paths), it doesn't need quotes. This may result in a multivalued field. Read more about the spath search command. This example returns the values of locDesc elements:

... | eval locDesc=spath(_raw, "vendorProductSet.product.desc.locDesc")

This example returns the hashtags from a twitter event: index=twitter | eval output=spath(_raw, "entities.hashtags")

split(X,"Y") This function takes two arguments, field X and delimiting character Y. It splits the value(s) of X on the delimiter Y and returns X as a multi-valued field. ... | eval n=split(foo, ";")
sqrt(X) This function takes one numeric argument X and returns its square root. This example returns 3:

... | eval n=sqrt(9)

strftime(X,Y) This function takes an epochtime value, X, as the first argument and renders it as a string using the format specified by Y. This example returns the hour and minute from the _time field:

... | eval n=strftime(_time, "%H:%M")

strptime(X,Y) This function takes a time represented by a string, X, and parses it into a timestamp using the format specified by Y. If timeStr is in the form, "11:59", this returns it as a timestamp:

... | eval n=strptime(timeStr, "%H:%M")

substr(X,Y,Z) This function takes either two or three arguments, where X is a string and Y and Z are numeric. It returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not given, it returns the rest of the string.

The indexes follow SQLite semantics; they start at 1. Negative indexes can be used to indicate a start from the end of the string.

This example concatenates "str" and "ing" together, returning "string":

... | eval n=substr("string", 1, 3) + substr("string", -3)

time() This function returns the wall-clock time with microsecond resolution. The value of time() will be different for each event based on when that event was processed by the eval command.
tonumber("X",Y) This function converts the input string X to a number, where Y is optional and used to define the base of the number to convert to. Y can be 2..36, and defaults to 10. If it cannot parse the input to a number, the function returns NULL. This example returns "164":

... | eval n=tonumber("0A4",16)

tostring(X,Y) This function converts the input value to a string. If the input value is a number, it reformats it as a string. If the input value is a Boolean value, it returns the corresponding string value, "True" or "False".

This function requires at least one argument X; if X is a number, the second argument Y is optional and can be "hex" "commas" or "duration":

  • tostring(X,"hex") converts X to hexadecimal.
  • tostring(X,"commas") formats X with commas and, if the number includes decimals, rounds to nearest two decimal places.
  • tostring(X,"duration") converts seconds X to readable time format HH:MM:SS.
This example returns "True 0xF 12,345.68":

... | eval n=tostring(1==1) + " " + tostring(15, "hex") + " " + tostring(12345.6789, "commas")

This example returns foo=615 and foo2=00:10:15: ... | eval foo=615 | eval foo2 = tostring(foo, "duration")

trim(X,Y) This function takes one or two string arguments X and Y and returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are trimmed. This example returns "abc":

... | eval n=trim(" ZZZZabcZZ ", " Z")

typeof(X) This function takes one argument and returns a string representation of its type. This example returns "NumberStringBoolInvalid":

... | eval n=typeof(12) + typeof("string") + typeof(1==2) + typeof(badfield)

upper(X) This function takes one string argument and returns the uppercase version. The lower() function also exists for returning the lowercase version. This example returns the value provided by the field username in uppercase.

... | eval n=upper(username)

urldecode(X) This function takes one URL string argument X and returns the unescaped or decoded URL string. This example returns "http://www.splunk.com/download?r=header":

... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")

validate(X,Y,...) This function takes pairs of arguments, Boolean expressions X and strings Y. The function returns the string Y corresponding to the first expression X that evaluates to False and defaults to NULL if all are True. This example runs a simple check for valid ports:

... | eval n=validate(isint(port), "ERROR: Port is not an integer", port >= 1 AND port <= 65535, "ERROR: Port is out of range")

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!