Splunk® Cloud Services

SPL2 Search Reference

eval command examples

The following are examples for using the SPL2 eval command. To learn more about the eval command, see How the SPL2 eval command works.

Many of these examples use the evaluation functions. See Quick Reference for SPL2 eval functions.

1. Pipeline examples

These examples show how to use the eval command in a pipeline.

Mask sensitive information in a pipeline

The following pipeline selects a subset of the data received by the Edge Processor or Ingest Processor and replaces the credit card numbers in the _raw field with the word "<redacted>", and then sends the events to a destination.

$pipeline = | from $source 
| eval _raw=replace(_raw, /[1-5][0-9]{15}/i, "<redacted>") 
| into $destination

Use a cryptographic function to mask sensitive data in a pipeline

The following example masks the values in the ip_address field by using the sha256 function. The events are then sent to the existing buttercup_masked index and into a destination.

$pipeline = | from $source  
| eval ip_address = sha256(ip_address) 
| eval index="buttercup_masked" 
| into $destination

2. Create a new field that contains the result of a calculation

Create a new field called speed in each event. Calculate the speed by dividing the values in the distance field by the values in the time field.

... | eval speed=distance/time

3. Use the if function to analyze field values

Create a new field called error in each event. Using the if function, set the value in the error field to OK if the status value is 200. Otherwise set the error field value to Problem.

... | eval error = if(status == 200, "OK", "Problem")

4. Convert values to lowercase

Create a new field in each event called lowuser. Using the lower function, populate the field with the lowercase version of the values in the username field.

... | eval lowuser = lower(username)

5. Specify field names that contain dashes or other characters

When a field name contains anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character, you must enclose the name in single quotation marks. This includes the wildcard ( * ) character.

This example shows how to specify a field name that includes a dash. The lower function is used to populate the lowuser field with the lowercase version of the values in the user-name field.

... | eval lowuser = lower('user-name')

6. Calculate the sum of the areas of two circles

This example uses the pi and pow functions to calculate the area of two circles. A new field called sum_of_areas is created to store the sum of the areas of the two circles.

... | eval sum_of_areas = pi() * pow(radius_a, 2) + pi() * pow(radius_b, 2)

7. Return a string value based on the value of a field

This example uses the case function to evaluate the value of the HTTP error codes in the error field. Based on the HTTP error codes, a text interpretation of the HTTP error codes is stored in a new field called error_msg. .

... | eval error_msg = case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

8. Concatenate values from two fields

Use the plus ( + ) sign to concatenate the values in first_name field with the values in the last_name field. Use quotation marks to insert a space character between the two names. When concatenating, the values are read as strings, regardless of the actual value.

... | eval full_name = first_name+" "+last_name

The concatenation operator accepts both strings and numbers. Numbers are concatenated as strings and produces a string.

9. Separate multiple eval operations with a comma

You can specify multiple eval operations by using a comma to separate the operations. In the following search the full_name evaluation uses the plus ( + ) sign to concatenate the values in the last_name field with the values in the first_name field. In this example, there is a comma and space between the last_name field and the first_name field. The low_name evaluation uses the lower function to convert the full_name evaluation into lowercase.

... | eval full_name = last_name+", "+first_name, low_name = lower(full_name)

10. Convert a numeric field value to a string and include commas in the output

Convert a numeric field value to a string. Specify that the string value display with commas. In this example replaces the values in an existing field x instead of creating a new field for the converted values. If the original value of x is 1000000, this search returns x as 1,000,000.

... | eval x=tostring(x, "commas")

11. Include a currency symbol when you convert a numeric field value to a string

Using the previous example, you can include a currency symbol at the beginning of the string. Instead of returning x as 1,000,000, the search returns x as $1,000,000.

... | eval x="$"+tostring(x, "commas")

See also

eval command
eval command overview
eval command syntax details
eval command usage
Pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual
Last modified on 27 August, 2024
eval command usage   eventstats command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters