On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
Eval
This topic describes how to use the function in the .
Description
The Eval function calculates an expression and puts the resulting value into the record as a new field.
- If the field name that you specify does not match a field in the data stream, a new top-level field is added to your record.
- If the field name that you specify matches a field name that already exists in the data stream, the results of the eval expression overwrite the values in that field.
You can chain multiple eval expressions in a single Eval function using a comma to separate subsequent expressions. The Eval function processes multiple eval expressions in-order and lets you reference previously evaluated fields in subsequent expressions.
How the Eval function works
Most of the time the Eval function is used to create a new top-level field in your data and the values in that new field are the result of an expression. There are many types of expressions you can specify.
Using Eval functions
There are dozens of scalar functions that you can use in the eval expression. The functions are organized into these categories:
- Casting functions
- Conditional functions
- Conversion functions
- Cryptographic functions
- Date and Time functions
- Iterator functions
- List functions
- Map functions
- Mathematical functions
- String manipulation
For examples of how to use these scalar functions in your Eval function, see the Examples on this page.
Difference between Select and Eval
Both functions are used to change the fields in the record. However, while the Eval function keeps existing fields and adds new fields for the aliases in the eval, The Select function only includes the fields explicitly specified in the select function.
Syntax
The required syntax is in bold.
- eval
- <field>=<expression> ["," <field>=<expression> ]...
Function Input/Output Schema
- Function Input
- collection<record<R>>
- This function takes in collections of records with schema R.
- Function Output
- collection<record<S>>
- This function outputs the same collection of records but with a different schema S.
Required arguments
- field
- Syntax: <string>
- Description: A destination field name for the resulting calculated value. If the field name already exists in your events, eval overwrites the value.
- expression
- Syntax: <string>
- Description: A combination of values, variables, operators, and functions that will be executed to determine the value to place in your destination field.
Examples
Examples of common use cases follow. These examples assume that you have added the function to your pipeline.
1. SPL2 Example: Change the value of source_type field
This example assumes that you are in the SPL View.
...| eval source_type="ASA" |...;
2. SPL2 Example: Replace a string and return the replacement string in a new field
This example assumes that you are in the SPL View.
In this example, the replace function is used to perform a text replacement. Returns "foobar" in a new top-level field called newfield
.
... | eval newfield=replace("bar", /(bar)/, "foo$1");
3. SPL2 Example: Use the if function to analyze field values
This example assumes that you are in the SPL View.
Create a new field called error
in each record. Using the if
function, set the value in the error
field to OK if the status
value is 200. Otherwise set the error
field value to Problem.
...| eval error = if(status == 200, "OK", "Problem") |...;
Extract metrics data from body field
...| eval metrics=extract_regex(cast(body, "string"), /group=(?<group>S+),s?series="(?<series>[^"]+)",s?(?<data>.*)$/) |...;
4. SPL2 Example: Add the key-value pair "some_key": "some_value" to the map in the attributes field
This example assumes that you are in the SPL View.
...| eval attributes=map_set(attributes, "some_key", "some_value")| ...;
Drift Detection (beta) | Extract Timestamp |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6
Feedback submitted, thanks!