eval command syntax details

Syntax

The required syntax is in bold.

eval

<assignment_expression> ["," <assignment_expression> ]...

To specify multiple evaluations, separate each <assignment_expression> with a comma.

Required arguments

assignment_expression: Syntax: <field>=<expression> [, <field>=<expression> ] ...; Description: The <field> is a destination field name for the result of the <expression>. If the field name already exists in your events, the eval command overwrites the values with the results of the <expression>. Otherwise the eval command creates a new field using <field>. The field name that you specify can't be a reserved word and can't include square brackets [ ]. See eval command usage.

The <expression> is a <string> which can be a combination of values, variables, operators, and functions that are processed to determine the value to place in the destination <field>.

The <expression> is case-sensitive. The syntax of the <expression> is checked before running the search, and an exception is returned for an invalid expression.
The result of an eval statement cannot be a Boolean. If, at search time, the <expression> cannot be evaluated successfully for a given event, the eval command erases the resulting field.
If the <expression> references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotation marks. For example, if the field name is server-1 you specify the field name like this ...| eval new=count+'server-1'.
If the <expression> references literal strings, the expression needs to be surrounded by double quotation marks. For example, if the string you want to use is server- you specify the string like this ...| eval new="server-"+host.

Related answers from Splunk Community

eval command syntax details

Syntax

Required arguments

See also

Comments

eval command syntax details

Was this topic useful?