Overview of SPL2 eval functions
Use evaluation functions to evaluate an expression, based on your events, and return a result.
Quick reference
See the Quick Reference for SPL2 eval functions for a list of the supported evaluation functions, along with a brief description and the syntax for each function.
Commands that use eval functions
You can use evaluation functions with the following commands:
 In the WHERE and SELECT clauses of the
from
command  With the
eval
andwhere
commands  As part of evaluation expressions with other commands.
Evaluation expressions are casesensitive.
Using functions
 All functions that accept strings can accept either a literal string or any field.
 All functions that accept numbers can accept either literal numbers or any numeric field.
Specifying literal strings
For most evaluation functions, when a string argument is expected you can specify either an literal string or a field. The literal string must be enclosed in double quotation marks. For example, you have a field called name
which contains the names of your servers. You want to append the literal string server
at the end of the name. You would specify this: name + "server"
.
Nested functions
You can specify a function as an argument to another function.
In the following example, the cidrmatch
function is used as the first argument in the if
function.
...  eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")
The following example uses the in
function as the first parameter for the if
function.
...  eval error=if(in(status, "error", "failure", "severe"), "true", "false")
Supported operators
The following tables list the basic mathematical operations that you can use with the evaluation functions. For these operations to work, the values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. When concatenating values, Splunk software reads the values as strings, regardless of the value.
Arithmetic operators
Each of the following operators accepts two numbers and produces a number. These operators can be used either with fields that contain numeric values or with literal numeric values.
Operators  Action  Examples 

+

Addition 



Subtraction 

*

Multiplication 

/

Division 

%

Modulo 

Concatenation operator
Operator  Action  Description 

+

Concatenation  Accepts both strings and numbers. Numbers are concatenated as strings. Produces a string. 
Boolean operators
Operators  Action  Description 

AND

Logical AND operator  Accepts two Boolean values and produces a Boolean. 
OR

Logical OR operator  Accepts two Boolean values and produces a Boolean. 
NOT

Logical NOT operator  Accepts one Boolean value and produces the inverse of the value. 
XOR

Exclusive OR operator  Accepts two Boolean values and produces a Boolean. 
<

Less than  Accepts two numbers and produces a Boolean. 
>

Greater than  Accepts two numbers and produces a Boolean. 
<=

Less than or equal to  Accepts two numbers or two strings and produces a Boolean. 
>=

Greater than or equal to  Accepts two numbers and produces a Boolean. 
!=

Not equal to  Accepts two numbers or two strings and produces a Boolean. 
= or ==

Equal to  In expressions, the = and == operators are synonymous. These operators compare the value of right side and left side of the expression. Returns 1 (true) if the sides are equal. Returns 0 (false) if the sides are not equal.

LIKE

Text pattern matching operator  Accepts two strings. For example string LIKE pattern . The pattern operator supports literal text, a percent ( % ) character for a wildcard, and an underscore ( _ ) character for a single character match.
For example, field 
See also
 Functions
 Overview of SPL2 statistical and charting functions
 Overview of SPL2 dataset_functions
 Custom eval functions
 Naming function arguments in the SPL2 Search Manual
Using SPL command functions  Quick Reference for SPL2 eval functions 
This documentation applies to the following versions of Splunk^{®} Cloud Services: current
Feedback submitted, thanks!