Evaluation functions
Use the evaluation functions to evaluate an expression, based on your events, and return a result.
Quick reference
See the Supported functions and syntax section for a quick reference list of the evaluation functions.
Commands
You can use evaluation functions with the eval
, fieldformat
, and where
commands, and as part of eval expressions with other commands.
Usage
- All functions that accept strings can accept literal strings or any field.
- All functions that accept numbers can accept literal numbers or any numeric field.
String arguments and fields
For most evaluation functions, when a string argument is expected, you can specify either a literal string or a field name. Literal strings must be enclosed in double quotation marks. In other words, when the function syntax specifies a string you can specify any expression that results in a string. For example, you have a field called name
which contains the names of your servers. You want to append the literal string server
at the end of the name. You would specify this: name + "server"
.
Nested functions
You can specify a function as an argument to another function.
In the following example, the cidrmatch
function is used as the first argument in the if
function.
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")
The following example shows how to use the true()
function to provide a default to the case
function.
... | eval error=case(status == 200, "OK", status == 404, "Not found", true(), "Other")
Supported functions and syntax
There are two ways that you can see information about the supported evaluation functions:
- Function list by category
- Alphabetical list of functions
Function list by category
The following table is a quick reference of the supported evaluation functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the Type of function column for more details and examples.
Type of function | Supported functions and syntax | Description |
---|---|---|
Comparison and Conditional functions | case(X,"Y",...)
|
Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE. |
cidrmatch("X",Y)
|
Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. | |
coalesce(X,...)
|
This function takes an arbitrary number of arguments and returns the first value that is not NULL. | |
false()
|
Returns FALSE. | |
if(X,Y,Z)
|
If the condition X evaluates to TRUE, returns Y, otherwise returns Z. | |
in(FIELD, VALUE-LIST)
|
The function returns TRUE if one of the values in the list matches a value in the field you specify. | |
like(TEXT, PATTERN)
|
Returns TRUE if TEXT matches PATTERN. | |
match(SUBJECT, "REGEX")
|
Returns TRUE or FALSE based on whether REGEX matches SUBJECT | |
null()
|
This function takes no arguments and returns NULL. | |
nullif(X,Y)
|
This function is used to compare fields. The function takes two arguments, X and Y, and returns NULL if X = Y. Otherwise it returns X. | |
searchmatch(X)
|
Use this function to return TRUE if the search string (X) matches the event. | |
true()
|
Returns TRUE. | |
validate(X,Y,...)
|
Use this function to return the string Y corresponding to the first expression X that evaluates to FALSE. This function is the opposite of the case function.
| |
Conversion functions | printf("format",arguments)
|
Creates a formatted string based on a format description that you provide. |
tonumber(NUMSTR,BASE)
|
Converts a string to a number. | |
tostring(X,Y)
|
Converts the input, such as a number or a Boolean value, to a string. | |
Cryptographic functions | md5(X)
|
Computes the md5 hash for the value X. |
sha1(X)
|
Computes the sha1 hash for the value X. | |
sha256(X)
|
Computes the sha256 hash for the value X. | |
sha512(X)
|
Computes the sha512 hash for the value X. | |
Date and Time functions | now()
|
Returns the time that the search was started. |
relative_time(X,Y)
|
Adjusts the time by a relative time specifier. | |
strftime(X,Y)
|
Takes a UNIX time and renders it into a human readable format. | |
strptime(X,Y)
|
Takes a human readable time and renders it into UNIX time. | |
time()
|
The time that eval function was computed. The time will be different for each event, based on when the event was processed. | |
Informational functions | isbool(X)
|
Returns TRUE if the field value is Boolean. |
isint(X)
|
Returns TRUE if the field value is an integer. | |
isnotnull(X)
|
Returns TRUE if the field value is not NULL. | |
isnull(X)
|
Returns TRUE if the field value is NULL. | |
isnum(X)
|
Returns TRUE if the field value is a number. | |
isstr(X)
|
Returns TRUE if the field value is a string. | |
typeof(X)
|
Returns a string that indicates the field type, such as Number, String, Boolean, and so forth | |
Mathematical functions | abs(X)
|
Returns the absolute value. |
ceiling(X) or ceil(X)
|
Rounds the value up to the next highest integer. | |
exact(X)
|
Returns the result of a numeric eval calculation with a larger amount of precision in the formatted output. | |
exp(X)
|
Returns the exponential function eX .
| |
floor(X)
|
Rounds the value down to the next lowest integer. | |
ln(X)
|
Returns the natural logarithm. | |
log(X,Y)
|
Returns the logarithm of X using Y as the base. If Y is omitted, base 10 is used. | |
pi()
|
Returns the constant pi to 11 digits of precision. | |
pow(X,Y)
|
Returns X to the power of Y, XY .
| |
round(X,Y)
|
Returns X rounded to the amount of decimal places specified by Y. The default is to round to an integer. | |
sigfig(X)
|
Rounds X to the appropriate number of significant figures. | |
sqrt(X)
|
Returns the square root of the value. | |
Multivalue eval functions | commands(X)
|
Returns a multivalued field that contains a list of the commands used in X. |
mvappend(X,...)
|
Returns a multivalue result based on all of values specified. | |
mvcount(MVFIELD)
|
Returns the count of the number of values in the specified field. | |
mvdedup(X)
|
Removes all of the duplicate values from a multivalue field. | |
mvfilter(X)
|
Filters a multivalue field based on an arbitrary Boolean expression X. | |
mvfind(MVFIELD,"REGEX")
|
Finds the index of a value in a multivalue field that matches the REGEX. | |
mvindex(MVFIELD,STARTINDEX,ENDINDEX)
|
Returns a set of values from a multivalue field described by STARTINDEX and ENDINDEX. | |
mvjoin(MVFIELD,STR)
|
Takes all of the values in a multivalue field and appends them together delimited by STR. | |
mvrange(X,Y,Z)
|
Creates a multivalue field with a range of numbers between X and Y, incrementing by Z. | |
mvsort(X)
|
Returns the values of a multivalue field sorted lexicographically. | |
mvzip(X,Y,"Z")
|
Takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. | |
split(X,"Y")
|
Returns a mv field splitting X by the delimited character Y. | |
Statistical eval functions | max(X,...)
|
Returns the maximum of the string or numeric values. |
min(X,...)
|
Returns the minimum of the string or numeric values. | |
random()
|
Returns a pseudo-random integer ranging from zero to 231-1. | |
Text functions | len(X)
|
Returns the count of the number of characters (not bytes) in the string. |
lower(X)
|
Converts the string to lowercase. | |
ltrim(X,Y)
|
Trims the characters represented in Y from the left side of the string. | |
replace(X,Y,Z)
|
Returns a string formed by substituting string Z for every occurrence of regex string Y in string X. | |
rtrim(X,Y)
|
Returns X with the characters in Y trimmed from the right side. | |
spath(X,Y)
|
Extracts a value from a structured data type (XML or JSON) in X based on a location path in Y. | |
substr(X,Y,Z)
|
Returns a substring from X based on the starting position Y and the length Z. | |
trim(X,Y)
|
Trims the characters represented in Y from both sides of the string X. | |
upper(X)
|
Returns the string in uppercase. | |
urldecode(X)
|
Replaces URL escaped characters with the original characters. | |
Trigonometry and Hyperbolic functions | acos(X)
|
Computes the arc cosine of X. |
acosh(X)
|
Computes the arc hyperbolic cosine of X. | |
asin(X)
|
Computes the arc sine of X. | |
asinh(X)
|
Computes the arc hyperbolic sine of X. | |
atan(X)
|
Computes the arc tangent of X. | |
atan2(X,Y)
|
Computes the arc tangent of X,Y. | |
atanh(X)
|
Computes the arc hyperbolic tangent of X. | |
cos(X)
|
Computes the cosine of an angle of X radians. | |
cosh(X)
|
Computes the hyperbolic cosine of X radians. | |
hypot(X,Y)
|
Computes the hypotenuse of a triangle. | |
sin(X)
|
Computes the sine of X. | |
sinh(X)
|
Computes the hyperbolic sine of X. | |
tan(X)
|
Computes the tangent of X. | |
tanh(X)
|
Computes the hyperbolic tangent of X. |
Alphabetical list of functions
Supported functions and syntax | Description | Type of function |
---|---|---|
abs(X)
|
Returns the absolute value. | Mathematical functions |
acos(X)
|
Computes the arc cosine of X. | Trigonometry and Hyperbolic functions |
acosh(X)
|
Computes the arc hyperbolic cosine of X. | Trigonometry and Hyperbolic functions |
asin(X)
|
Computes the arc sine of X. | Trigonometry and Hyperbolic functions |
asinh(X)
|
Computes the arc hyperbolic sine of X. | Trigonometry and Hyperbolic functions |
atan(X)
|
Computes the arc tangent of X. | Trigonometry and Hyperbolic functions |
atan2(X,Y)
|
Computes the arc tangent of X,Y. | Trigonometry and Hyperbolic functions |
atanh(X)
|
Computes the arc hyperbolic tangent of X. | Trigonometry and Hyperbolic functions |
case(X,"Y",...)
|
Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE. | Comparison and Conditional functions |
cidrmatch("X",Y)
|
Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. | Comparison and Conditional functions |
ceiling(X)
|
Rounds the value up to the next highest integer. | Mathematical functions |
coalesce(X,...)
|
This function takes an arbitrary number of arguments and returns the first value that is not NULL. | Comparison and Conditional functions |
commands(X)
|
Returns a multivalued field that contains a list of the commands used in X. | Multivalue eval functions |
cos(X)
|
Computes the cosine of an angle of X radians. | Trigonometry and Hyperbolic functions |
cosh(X)
|
Computes the hyperbolic cosine of X radians. | Trigonometry and Hyperbolic functions |
exact(X)
|
Returns the result of a numeric eval calculation with a larger amount of precision in the formatted output. | Mathematical functions |
exp(X)
|
Returns the exponential function eX .
|
Mathematical functions |
false()
|
Returns FALSE. | Comparison and Conditional functions |
floor(X)
|
Rounds the value down to the next lowest integer. | Mathematical functions |
hypot(X,Y)
|
Computes the hypotenuse of a triangle. | Trigonometry and Hyperbolic functions |
if(X,Y,Z)
|
If the condition X evaluates to TRUE, returns Y, otherwise returns Z. | Comparison and Conditional functions |
in(FIELD, VALUE-LIST)
|
The function returns TRUE if one of the values in the list matches a value in the field you specify. | Comparison and Conditional functions |
isbool(X)
|
Returns TRUE if the field value is Boolean. | Informational functions |
isint(X)
|
Returns TRUE if the field value is an integer. | Informational functions |
isnotnull(X)
|
Returns TRUE if the field value is not NULL. | Informational functions |
isnull(X)
|
Returns TRUE if the field value is NULL. | Informational functions |
isnum(X)
|
Returns TRUE if the field value is a number. | Informational functions |
isstr(X)
|
Returns TRUE if the field value is a string. | Informational functions |
len(X)
|
Returns the count of the number of characters (not bytes) in the string. | Text functions |
like(TEXT, PATTERN)
|
Returns TRUE if TEXT matches PATTERN. | Comparison and Conditional functions |
ln(X)
|
Returns the natural logarithm. | Mathematical functions |
log(X,Y)
|
Returns the logarithm of X using Y as the base. If Y is omitted, base 10 is used. | Mathematical functions |
lower(X)
|
Converts the string to lowercase. | Text functions |
ltrim(X,Y)
|
Trims the characters represented in Y from the left side of the string. | Text functions |
match(SUBJECT, "REGEX")
|
Returns TRUE or FALSE based on whether REGEX matches SUBJECT. | Comparison and Conditional functions |
max(X,...)
|
Returns the maximum of the string or numeric values. | Statistical eval functions |
md5(X)
|
Computes the md5 hash for the value X. | Cryptographic functions |
min(X,...)
|
Returns the minimum of the string or numeric values. | Statistical eval functions |
mvappend(X,...)
|
Returns a multivalue result based on all of values specified. | Multivalue eval functions |
mvcount(MVFIELD)
|
Returns the count of the number of values in the specified field. | Multivalue eval functions |
mvdedup(X)
|
Removes all of the duplicate values from a multivalue field. | Multivalue eval functions |
mvfilter(X)
|
Filters a multivalue field based on an arbitrary Boolean expression X. | Multivalue eval functions |
mvfind(MVFIELD,"REGEX")
|
Finds the index of a value in a multivalue field that matches the REGEX. | Multivalue eval functions |
mvindex(MVFIELD,STARTINDEX,ENDINDEX)
|
Returns a set of values from a multivalue field described by STARTINDEX and ENDINDEX. | Multivalue eval functions |
mvjoin(MVFIELD,STR)
|
Takes all of the values in a multivalue field and appends them together delimited by STR. | Multivalue eval functions |
mvrange(X,Y,Z)
|
Creates a multivalue field with a range of numbers between X and Y, incrementing by Z. | Multivalue eval functions |
mvsort(X)
|
Returns the values of a multivalue field sorted lexicographically. | Multivalue eval functions |
mvzip(X,Y,"Z")
|
Takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. | Multivalue eval functions |
now()
|
Returns the time that the search was started. | Date and Time functions |
null()
|
This function takes no arguments and returns NULL. | Comparison and Conditional functions |
nullif(X,Y)
|
This function is used to compare fields. The function takes two arguments, X and Y, and returns NULL if X = Y. Otherwise it returns X. | Comparison and Conditional functions |
pi()
|
Returns the constant pi to 11 digits of precision. | Mathematical functions |
pow(X,Y)
|
Returns X to the power of Y, XY .
|
Mathematical functions |
printf("format",arguments)
|
Creates a formatted string based on a format description that you provide. | Conversion functions |
random()
|
Returns a pseudo-random integer ranging from zero to 231-1. | Statistical eval functions |
relative_time(X,Y)
|
Adjusts the time by a relative time specifier. | Date and Time functions |
replace(X,Y,Z)
|
Returns a string formed by substituting string Z for every occurrence of regex string Y in string X. | Text functions |
round(X,Y)
|
Returns X rounded to the amount of decimal places specified by Y. The default is to round to an integer. | Mathematical functions |
rtrim(X,Y)
|
Returns X with the characters in Y trimmed from the right side. | Text functions |
searchmatch(X)
|
Use this function to return TRUE if the search string (X) matches the event. | Comparison and Conditional functions |
sha1(X)
|
Computes the sha1 hash for the value X. | Cryptographic functions |
sha256(X)
|
Computes the sha256 hash for the value X. | Cryptographic functions |
sha512(X)
|
Computes the sha512 hash for the value X. | Cryptographic functions |
sigfig(X)
|
Rounds X to the appropriate number of significant figures. | Mathematical functions |
sin(X)
|
Computes the sine of X. | Trigonometry and Hyperbolic functions |
sinh(X)
|
Computes the hyperbolic sine of X. | Trigonometry and Hyperbolic functions |
spath(X,Y)
|
Extracts a value from a structured data type (XML or JSON) in X based on a location path in Y. | Text functions |
split(X,"Y")
|
Returns a mv field splitting X by the delimited character Y. | Multivalue eval functions |
sqrt(X)
|
Returns the square root of the value. | Mathematical functions |
strftime(X,Y)
|
Takes a UNIX time and renders it into a human readable format. | Date and Time functions |
strptime(X,Y)
|
Takes a human readable time and renders it into UNIX time. | Date and Time functions |
substr(X,Y,Z)
|
Returns a substring from X based on the starting position Y and the length Z. | Text functions |
tan(X)
|
Computes the tangent of X. | Trigonometry and Hyperbolic functions |
tanh(X)
|
Computes the hyperbolic tangent of X. | Trigonometry and Hyperbolic functions |
time()
|
The time that eval function was computed. The time will be different for each event, based on when the event was processed. | Date and Time functions |
tonumber(NUMSTR,BASE)
|
Converts a string to a number. | Conversion functions |
tostring(X,Y)
|
Converts the input, such as a number or a Boolean value, to a string. | Conversion functions |
trim(X,Y)
|
Trims the characters represented in Y from both sides of the string X. | Text functions |
true()
|
Returns TRUE. | Comparison and Conditional functions |
typeof(X)
|
Returns a string that indicates the field type, such as Number, String, Boolean, and so forth. | Informational functions |
upper(X)
|
Returns the string in uppercase. | Text functions |
urldecode(X)
|
Replaces URL escaped characters with the original characters. | Text functions |
validate(X,Y,...)
|
Use this function to return the string Y corresponding to the first expression X that evaluates to FALSE. This function is the opposite of the case function.
|
Comparison and Conditional functions |
See also
Topics:
Statistical and charting functions
Commands:
eval
fieldformat
where
Splunk SPL for SQL users | Comparison and Conditional functions |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Feedback submitted, thanks!