Add an eval expression attribute

You can add an eval expression attribute to any object in your data model. This attribute type uses eval expressions to create fields that can be added to events in your object dataset, in a manner similar to that of calculated fields.

1. In the Data Model Editor, open the object that you would like to add an attribute to.

2. Click Add Attribute. Select Eval Expression to define an eval expression attribute.

The Add Attributes with an Eval Expression dialog appears.

3. Enter the Eval Expression that defines the attribute value.

The Eval Expression text area should just contain the <eval-expression> portion of the eval syntax. There's no need to type the full syntax used in Search (eval <eval-field>=<eval-expression>).

4. Under Attribute enter the attribute Field Name and Display Name.

The Field Name is the name of the attribute in your object data. The Display Name is the attribute name that your Pivot users see when they create pivots. Note: The Field Name cannot include whitespace, single quotes, double quotes, curly braces, or asterisks. The attribute Display Name cannot contain asterisks.

5. Define the attribute Type and set its Flag.

For more information about the Flag values, see the subsection on marking attributes as hidden or required in "Define object attributes," in this manual.

6. (Optional) Click Preview to verify that the eval expression is working as expected.

You should see events in table format with the new eval attribute(s) included as columns. For example, if you're working with an event-based object and you've added an eval attribute named gb, the preview event table should show a column labeled gb to the right of the first column (_time).

The preview pane has two tabs. Events is the default tab. It presents the events in table format. The new eval attribute should appear to the right of the first column (the _time column).

If you do not see values in this column, or you see the same value repeated in the events at the top of the list, it could mean that more values appear later in the sample. Select the Values tab to review the distribution of eval attribute values among the selected event sample. You can also change the Sample value to increase the number of events in the preview sample--this can sometimes uncover especially rare values of the field created by the eval expression.

In the example below, the three real-time searches only appeared in the value distribution when Sample was expanded from First 1,000 events to First 10,000 events.

7. Click Save to save your changes and return to the Data Model Editor.

For more information about the eval command and the formatting of eval expressions, see the eval page as well as the topic "Evaluation functions" in the Search Reference.

Eval expressions can utilize attributes that have already been defined or calculated, which means you can chain attributes together. Attributes are processed in the order that they are listed from top to bottom. This means that you must place prerequisite attributes above the eval expression attribute that uses those attributes in its eval expression. In other words, if you have a calculation B that depends on another calculation A, make sure that calculation A comes before calculation B in the attribute order. For more information see the subsection on attribute order and chaining in "Define object attributes", in this manual.

You can use attributes of any type in an eval expression attribute definition. For example, you could create an eval expression attribute that uses an auto-extracted attribute and another eval expression attribute in its eval expression. It will work as long as those attributes are listed above the one you're creating.

When you create an eval expression attribute that uses the values of other attributes in its definition, you can optionally "hide" those other attributes by setting their Flag to Hidden. This ensures that only the final eval expression value is available to your Pivot users.