eval command syntax details
The required syntax is in bold.
- <assignment_expression> ["," <assignment_expression> ]...
To specify multiple evaluations, separate each <assignment_expression> with a comma.
- Syntax: <field>=<expression> [, <field>=<expression> ] ...
- Description: The <field> is a destination field name for the result of the <expression>. If the field name already exists in your events, the
evalcommand overwrites the values with the results of the <expression>. Otherwise the
evalcommand creates a new field using <field>. The field name that you specify can't be a reserved word and can't include square brackets [ ]. See eval command usage.
- The <expression> is a <string> which can be a combination of values, variables, operators, and functions that are processed to determine the value to place in the destination <field>.
- The <expression> is case-sensitive. The syntax of the <expression> is checked before running the search, and an exception is returned for an invalid expression.
- The result of an eval statement cannot be a Boolean. If, at search time, the <expression> cannot be evaluated successfully for a given event, the
evalcommand erases the resulting field.
- If the <expression> references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotation marks. For example, if the field name is
server-1you specify the field name like this
...| eval new=count+'server-1'.
- If the <expression> references literal strings, the expression needs to be surrounded by double quotation marks. For example, if the string you want to use is
server-you specify the string like this
...| eval new="server-"+host.
- Related information
- Types of expressions in the SPL2 Search Manual.
eval command overview
eval command usage
This documentation applies to the following versions of Splunk® Cloud Services: current