eval command syntax details

Syntax

The required syntax is in bold.

eval

<assignment_expression> ["," <assignment_expression> ]...

To specify multiple evaluations, separate each <assignment_expression> with a comma.

Required arguments

assignment_expression

Syntax: <field>=<expression> [, <field>=<expression> ] ...

Description: The <field> is a destination field name for the result of the <expression>. If the field name already exists in your events, the eval command overwrites the values with the results of the <expression>. Otherwise the eval command creates a new field using <field>. The field name that you specify can't be a reserved word and can't include square brackets [ ]. See eval command usage.

The <expression> is a <string> which can be a combination of values, variables, operators, and functions that are processed to determine the value to place in the destination <field>.

• The <expression> is case-sensitive. The syntax of the <expression> is checked before running the search, and an exception is returned for an invalid expression.
• The result of an eval statement cannot be a Boolean. If, at search time, the <expression> cannot be evaluated successfully for a given event, the eval command erases the resulting field.
• If the <expression> references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotation marks. For example, if the field name is server-1 you specify the field name like this ...| eval new=count+'server-1'.
• If the <expression> references literal strings, the expression needs to be surrounded by double quotation marks. For example, if the string you want to use is server- you specify the string like this ...| eval new="server-"+host.

See also

eval command

eval command overview

eval command usage

eval command examples

Related information

Types of expressions in the SPL2 Search Manual.