Splunk® Cloud Services

SPL2 Search Reference

Overview of SPL2 eval functions

Use evaluation functions to evaluate an expression, based on your events, and return a result.

Quick reference

See the Quick Reference for SPL2 eval functions for a list of the supported evaluation functions, along with a brief description and the syntax for each function.

Commands that use eval functions

You can use evaluation functions with the following commands:

  • In the WHERE and SELECT clauses of the from command
  • With the eval and where commands
  • As part of evaluation expressions with other commands.

Evaluation expressions are case-sensitive.

Using functions

  • All functions that accept strings can accept either a literal string or any field. 
  • All functions that accept numbers can accept either literal numbers or any numeric field.

Specifying literal strings

For most evaluation functions, when a string argument is expected you can specify either an literal string or a field. The literal string must be enclosed in double quotation marks. For example, you have a field called name which contains the names of your servers. You want to append the literal string server at the end of the name. You would specify this: name + "server".​

Nested functions

You can specify a function as an argument to another function.

In the following example, the cidrmatch function is used as the first argument in the if function.

... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")


The following example uses the in function as the first parameter for the if function.

... | eval error=if(in(status, "error", "failure", "severe"), "true", "false")

Supported operators

The following tables list the basic mathematical operations that you can use with the evaluation functions. For these operations to work, the values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. When concatenating values, Splunk software reads the values as strings, regardless of the value.

Arithmetic operators

Each of the following operators accepts two numbers and produces a number. These operators can be used either with fields that contain numeric values or with literal numeric values.

Operators Action Examples
+ Addition

... | stats min(price+10)

- Subtraction

... | eval final=end-start

* Multiplication

...| eval diameter=circumference*3.14

/ Division

... | stats avg(bytes/1024)

% Modulo

... | stats avg(bytes) % 1024

SELECT filter(numbers, $num -> ($num % 2) == 0 AS even_numbers FROM main

... | eval n=(random() % 100000) + 1

See random function

Concatenation operator

Operator Action Description
+ Concatenation Accepts both strings and numbers. Numbers are concatenated as strings. Produces a string.

Boolean operators

Operators Action Description
AND Logical AND operator Accepts two Boolean values and produces a Boolean.
OR Logical OR operator Accepts two Boolean values and produces a Boolean.
NOT Logical NOT operator Accepts one Boolean value and produces the inverse of the value.
XOR Exclusive OR operator Accepts two Boolean values and produces a Boolean.
< Less than Accepts two numbers and produces a Boolean.
> Greater than Accepts two numbers and produces a Boolean.
<= Less than or equal to Accepts two numbers or two strings and produces a Boolean.
>= Greater than or equal to Accepts two numbers and produces a Boolean.
!= Not equal to Accepts two numbers or two strings and produces a Boolean.
= or == Equal to In expressions, the = and == operators are synonymous. These operators compare the value of right side and left side of the expression. Returns 1 (true) if the sides are equal. Returns 0 (false) if the sides are not equal.
LIKE Text pattern matching operator Accepts two strings. For example string LIKE pattern. The pattern operator supports literal text, a percent ( % ) character for a wildcard, and an underscore ( _ ) character for a single character match.

For example, field LIKE "a%b_" matches any string starting with a, followed by anything, followed by b, followed by one character.

See also

Commands
eval command overview
where command overview
Functions
Overview of SPL2 statistical and charting functions
Overview of SPL2 dataset_functions
Custom eval functions
Naming function arguments in the SPL2 Search Manual
Last modified on 29 July, 2023
Using SPL command functions   Quick Reference for SPL2 eval functions

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters