Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

Evaluation functions

Use the evaluation functions to evaluate an expression, based on your events, and return a result. See the Quick reference section for the supported functions and their syntax.

Commands

You can use evaluation functions with the eval, fieldformat, and where commands, and as part of evaluation expressions.

Usage

  • All functions that accept strings can accept literal strings or any field. 
  • All functions that accept numbers can accept literal numbers or any numeric field.

String arguments

For most evaluation functions, when a string argument is expected, you can specify either an explicit string or a field name. The explicit string is denoted by double quotation marks. In other words, when the function syntax specifies a string you can specify any expression that results in a string. For example, name + "server".​

Nested functions

You can specify a function as an argument to another function.

In the following example, the cidrmatch function is used as the first argument in the if function.

... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")


The following example shows how to use the true() function to provide a default to the case function.

... | eval error=case(status == 200, "OK", status == 404, "Not found", true(), "Other")


Quick reference

The following table is a quick reference for the evaluation functions. This table lists the syntax for each of the supported functions. Use the links in the Type of functions column for more details and examples.

Type of functions Supported functions
Comparison and Conditional functions case(X,"Y",...)

cidrmatch("X",Y)
coalesce(X,...)
false()
if(X,Y,Z)
in(VALUE-LIST)
like(TEXT, PATTERN)
match(SUBJECT, "REGEX")
null()
nullif(X,Y)
searchmatch(X)
true()
validate(X,Y,...)

Conversion functions printf("format",arguments)

tonumber(NUMSTR,BASE)
tostring(X,Y)

Cryptographic functions md5(X)

sha1(X)
sha256(X)
sha512(X)

Date and Time functions now()

relative_time(X,Y)
strftime(X,Y)
strptime(X,Y)
time()

Informational functions isbool(X)

isint(X)
isnotnull(X)
isnull(X)
isnum(X)
isstr(X)
typeof(X)

Mathematical functions abs(X)

ceiling(X)
exact(X)
exp(X)
floor(X)
ln(X)
log(X,Y)
pi()
pow(X,Y)
round(X,Y)
sigfig(X)
sqrt(X)

Multivalue eval functions commands(X)

mvappend(X,...)
mvcount(MVFIELD)
mvdedup(X)
mvfilter(X)
mvfind(MVFIELD,"REGEX")
mvindex(MVFIELD,STARTINDEX,ENDINDEX)
mvjoin(MVFIELD,STR)
mvrange(X,Y,Z)
mvsort(X)
mvzip(X,Y,"Z")

Statistical eval functions max(X,...)

min(X,...)
random()

Text functions len(X)

lower(X)
ltrim(X,Y)
replace(X,Y,Z)
rtrim(X,Y)
spath(X,Y)
split(X,"Y")
substr(X,Y,Z)
trim(X,Y)
upper(X)
urldecode(X)

Trigonometry and Hyperbolic functions acos(X)

acosh(X)
asin(X)
asinh(X)
atan(X)
atan2(X,Y)
atanh(X)
cos(X)
cosh(X)
hypot(X,Y)
sin(X)
sinh(X)
tan(X)
tanh(X)

See also

Topics:
Statistical and charting functions

Commands:
eval
fieldformat
where

Splunk Answers

Have questions? Visit Splunk Answers and search for a specific function or command.

PREVIOUS
SPL data types and clauses
  NEXT
Comparison and Conditional functions

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Comments

Pbourrel infomil
Thank you for pointing out this out. It is fixed now.

Lstewart splunk, Splunker
September 12, 2017

There is a typing error in the "Informational functions", if i'm not mistaken the first function should be spelled "isbool" and published "ibool" lacking the "s" letter.

Pbourrel infomil
September 12, 2017

Halseaidy - Thanks for pointing this out. Fixed now :-)

Lstewart splunk, Splunker
July 24, 2017

Typo on mvrange.
Currently: mvrange(X,Y.Z)
It should be: mvrange(X,Y,Z)

Halseaidy splunk, Splunker
July 18, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters