Related Answers
Download topic as PDF
Overview of eval scalar functions
Use evaluation functions to evaluate an expression, based on your records, and return a result.
Functions that use eval functions
You can use evaluation functions with the eval, where, select streaming functions and as part of evaluation expressions with other functions.
Using functions
- All functions that accept strings can accept either a literal string or any field.
- All functions that accept numbers can accept either literal numbers or any numeric field.
Specifying literal strings
For most evaluation functions, when a string argument is expected you can specify either a literal string or a field. The literal string must be enclosed in double quotation marks. For example, if you have a field called name which contains the names of your servers, and you want to append the literal string server at the end of the name. You would specify this: name + "server".
Nested functions
You can specify a function as an argument to another function.
In the following example, the cidrmatch function is used as the first argument in the if function.
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local");
Operators
The following tables list the basic mathematical operations that you can use with the evaluation functions. For these operations to work, the values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. When concatenating values, Splunk software reads the values as strings, regardless of the value.
Arithmetic operators
| Operators | Action | Description |
|---|---|---|
+
|
Addition | Accepts two numbers and produces a number. |
-
|
Subtraction | Accepts two numbers and produces a number. |
*
|
Multiplication | Accepts two numbers and produces a number. |
/
|
Division | Accepts two numbers and produces a number. |
%
|
Modulo | Accepts two numbers and produces a number. |
Boolean operators
| Operators | Action | Description |
|---|---|---|
AND
|
Logical AND operator | Accepts two Boolean values and produces a Boolean. |
OR
|
Logical OR operator | Accepts two Boolean values and produces a Boolean. |
NOT
|
Logical NOT operator | Accepts one Boolean value and produces the inverse of the value. |
XOR
|
Exclusive OR operator | Accepts two Boolean values and produces a Boolean. |
IS NULL
|
NULL operator | Accepts a value and returns TRUE if the field value is NULL. |
IS NOT NULL
|
NULL operator | Accepts a value and returns TRUE if the field value is not NULL. |
<
|
Less than | Accepts two numbers and produces a Boolean. |
>
|
Greater than | Accepts two numbers and produces a Boolean. |
<=
|
Less than or equal to | Accepts two numbers or two strings and produces a Boolean. |
>=
|
Greater than or equal to | Accepts two numbers and produces a Boolean. |
!=
|
Not equal to | Accepts two numbers or two strings and produces a Boolean. |
= or ==
|
Equal to | In expressions, the = and == operators are synonymous. These operators compare the value of right side and left side of the expression. Returns 1 (true) if the sides are equal. Returns 0 (false) if the sides are not equal.
|
LIKE
|
Text pattern matching operator | Accepts two strings. For example string LIKE pattern. The pattern operator supports literal text, a percent ( % ) character for a wildcard, and an underscore ( _ ) character for a single character match.
For example, field |
IN
|
Matching operator | Accepts a value and a list, and checks whether the value is in the list. The list can either be a list literal or a field containing a list. For example string IN (1, 2, 3) or string IN (list_field). Returns a Boolean.
|
|
PREVIOUS Send data to null |
NEXT Casting |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0, 1.2.1
Feedback submitted, thanks!