Use stats with eval expressions and functions
This topic discusses how to use eval expressions and functions within your stats calculation.
- For more information about the eval command and syntax, see the eval command in the Search Reference manual.
- For the list of eval functions, see Functions for eval and where in the Search Reference manual.
- Also, you can read more about using the eval command to evaluate and manipulate fields in this manual.
Example 1: Distinct counts of matching events
Let's say you have errors and you want to count the IP addresses where the errors originate. This is similar to a search for events, filtered for a specific code, and then used with the stats command to count the IP addresses:
... | search error=404 | stats dc(ip)
The best way to do this with an eval expression is:
... | stats dc(eval(if(error==404, ip, NULL))) AS dc_ip
Example 2: Categorizing and counting fields
Find out how much of your organization's email comes from
.org, or other top level domains.
sourcetype="cisco_esa" mailfrom=* | eval accountname=split(mailfrom,"@") | eval from_domain=mvindex(accountname,-1) | stats count(eval(match(from_domain, "[^\n\r\s]+\.com"))) AS ".com", count(eval(match(from_domain, "[^\n\r\s]+\.net"))) AS ".net", count(eval(match(from_domain, "[^\n\r\s]+\.org"))) AS ".org", count(eval(NOT match(from_domain, "[^\n\r\s]+\.(com|net|org)"))) AS "other"
The first half of this search uses eval to break up the email address in the
mailfrom field and define the
from_domain as the portion of the
mailfrom field after the
The results are then piped into the
stats command. The
count() function is used to count the results of the
eval expression. Here,
eval uses the
match() function to compare the
from_domain to a regular expression that looks for the different suffixes in the domain. If the value of
from_domain matches the regular expression, the
count is updated for each suffix,
.com, .net, and .org. Other domain suffixes are counted as
This produces the following results table:
Note: This example used generated email data (
sourcetype=cisco_esa). You should be able to run this example on any email data by replacing the
sourcetype=cisco_esa with your data's
sourcetype value and the
mailfrom field with your data's email address field name (for example, it might be
To, From, or Cc).
Use the stats command and functions
Add sparklines to search results
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14