This topic describes how to use the function in the Splunk Data Stream Processor.
Calculates an expression and puts the resulting value into the record as a new field.
- If the field name that you specify does not match a field in the data stream, a new top-level field is added to your record.
- If the field name that you specify matches a field name that already exists in the data stream, the results of the eval expression overwrite the values in that field.
You can chain multiple eval expressions in a single eval function using a comma to separate subsequent expressions. The eval function processes multiple eval expressions in-order and lets you reference previously evaluated fields in subsequent expressions.
How the eval function works
Most of the time the eval function is used to create a new top-level field in your data and the values in that new field are the result of an expression. There are many types of expressions you can specify.
Using eval functions
There are dozens of scalar functions that you can use in the eval expression. The functions are organized into these categories:
- Casting functions
- Conditional functions
- Conversion functions
- Cryptographic functions
- Date and Time functions
- Iterator functions
- List functions
- Map functions
- Mathematical functions
- String manipulation
For examples of how to use these scalar functions in your eval function, see the SPL2 examples on this page.
Difference between Select and Eval
Both functions are used to change the fields in the record. However, while the eval function keeps existing fields and adds new fields for the aliases in the eval, select only includes the fields explicitly specified in the select function.
The required syntax is in bold.
- <field>=<expression> ["," <field>=<expression> ]...
Function Input/Output Schema
- Function Input
- This function takes in collections of records with schema R.
- Function Output
- This function outputs the same collection of records but with a different schema S.
- Syntax: <string>
- Description: A destination field name for the resulting calculated value. If the field name already exists in your events, eval overwrites the value.
- Syntax: <string>
- Description: A combination of values, variables, operators, and functions that will be executed to determine the value to place in your destination field.
Change the value of source_type field
...| eval source_type="ASA" |...;
Replace a string and return the replacement string in a new field
In this example, the replace function is used to perform a text replacement. Returns "foobar" in a new top-level field called
... | eval newfield=replace("bar", /(bar)/, "foo$1");
Use the if function to analyze field values
Create a new field called
error in each record. Using the
if function, set the value in the
error field to OK if the
status value is 200. Otherwise set the
error field value to Problem.
...| eval error = if(status == 200, "OK", "Problem") |...;
Extract metrics data from body field
...| eval metrics=extract_regex(cast(body, "string"), /group=(?<group>S+),s?series="(?<series>[^"]+)",s?(?<data>.*)$/) |...;
Add the key-value pair "some_key": "some_value" to the map in the attributes field
...| eval attributes=map_set(attributes, "some_key", "some_value")| ...;
Drift Detection (beta)
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0