About evaluating and manipulating fields
This chapter discusses the search commands that enable you to evaluate new fields, manipulate existing fields, enrich events by adding new fields, and parse fields with multiple values.
- At the core of evaluating new fields is the eval command and its functions. Unlike the stats command, which enables you to calculate statistics based on fields in your events, eval enables you to create new fields using existing fields and an arbitrary expression. The eval command has many functions. Read more about them in "Use the eval command and functions".
- You can easily enrich your data with more information at search time. Read more about how to "Use lookup to add fields from external lookup tables".
- The Splunk search language enables you to extract fields in different ways using a variety of search commands.
- Your events may contain fields with more than one value. The Splunk search language includes a variety of search commands and functions that work with multi-valued fields. Read more about how to "Manipulate and evaluate fields with multiple values".
How to restrict usage of real-time search
Use the eval command and functions
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14