Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF


This topic describes how to use the function in the Splunk Data Stream Processor.


Calculates an expression and puts the resulting value into the record as a new field.

  • If the field name that you specify does not match a field in the data stream, a new top-level field is added to your record.
  • If the field name that you specify matches a field name that already exists in the data stream, the results of the eval expression overwrite the values in that field.

You can chain multiple eval expressions in a single eval function using a comma to separate subsequent expressions. The eval function processes multiple eval expressions in-order and lets you reference previously evaluated fields in subsequent expressions.

How the eval function works

Most of the time the eval function is used to create a new top-level field in your data and the values in that new field are the result of an expression. There are many types of expressions you can specify.

Using eval functions

There are dozens of scalar functions that you can use in the eval expression. The functions are organized into these categories:

For examples of how to use these scalar functions in your eval function, see the SPL2 examples on this page.

Difference between Select and Eval

Both functions are used to change the fields in the record. However, while the eval function keeps existing fields and adds new fields for the aliases in the eval, select only includes the fields explicitly specified in the select function.


The required syntax is in bold.

<field>=<expression> ["," <field>=<expression> ]...

Function Input/Output Schema

Function Input
This function takes in collections of records with schema R.
Function Output
This function outputs the same collection of records but with a different schema S.

Required arguments

Syntax: <string>
Description: A destination field name for the resulting calculated value. If the field name already exists in your events, eval overwrites the value.
Syntax: <string>
Description: A combination of values, variables, operators, and functions that will be executed to determine the value to place in your destination field.

SPL2 examples

Change the value of source_type field

...| eval source_type="ASA" |...;

Replace a string and return the replacement string in a new field

In this example, the replace function is used to perform a text replacement. Returns "foobar" in a new top-level field called newfield.

... | eval newfield=replace("bar", /(bar)/, "foo$1");

Use the if function to analyze field values

Create a new field called error in each record. Using the if function, set the value in the error field to OK if the status value is 200. Otherwise set the error field value to Problem.

...| eval error = if(status == 200, "OK", "Problem") |...;

Extract metrics data from body field

...| eval metrics=extract_regex(cast(body, "string"), /group=(?<group>S+),s?series="(?<series>[^"]+)",s?(?<data>.*)$/) |...;

Add the key-value pair "some_key": "some_value" to the map in the attributes field

...| eval attributes=map_set(attributes, "some_key", "some_value")| ...;
Last modified on 06 November, 2020
Drift Detection
Extract Timestamp

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters