Evaluation functions
Use the evaluation functions to evaluate an expression, based on your events, and return a result. See the Quick reference section for the supported functions and their syntax.
Commands
You can use evaluation functions with the eval
, fieldformat
, and where
commands, and as part of evaluation expressions.
Usage
- All functions that accept strings can accept literal strings or any field.
- All functions that accept numbers can accept literal numbers or any numeric field.
String arguments
For most evaluation functions, when a string argument is expected, you can specify either an explicit string or a field name. The explicit string is denoted by double quotation marks. In other words, when the function syntax specifies a string you can specify any expression that results in a string. For example, name + "server"
.
Nested functions
You can specify a function as an argument to another function.
In the following example, the cidrmatch
function is used as the first argument in the if
function.
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")
The following example shows how to use the true()
function to provide a default to the case
function.
... | eval error=case(status == 200, "OK", status == 404, "Not found", true(), "Other")
Supported functions and syntax
The following table is a quick reference of the supported evaluation functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the table to learn more about each function examples, and to see examples.
Type of function | Supported functions and syntax | Description |
---|---|---|
Comparison and Conditional functions | case(X,"Y",...)
|
Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE. |
cidrmatch("X",Y)
|
Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. | |
coalesce(X,...)
|
This function takes an arbitrary number of arguments and returns the first value that is not NULL. | |
false()
|
Returns FALSE. | |
if(X,Y,Z)
|
If the condition X evaluates to TRUE, returns Y, otherwise returns Z. | |
in(VALUE-LIST)
|
The function returns TRUE if one of the values in the list matches a value in the field you specify. | |
like(TEXT, PATTERN)
|
Returns TRUE if TEXT matches PATTERN. | |
match(SUBJECT, "REGEX")
|
Returns TRUE or FALSE based on whether REGEX matches SUBJECT | |
null()
|
This function takes no arguments and returns NULL. | |
nullif(X,Y)
|
This function is used to compare fields. The function takes two arguments, X and Y, and returns NULL if X = Y. Otherwise it returns X. | |
searchmatch(X)
|
Use this function to return TRUE if the search string (X) matches the event. | |
true()
|
Returns TRUE. | |
validate(X,Y,...)
|
Use this function to return the string Y corresponding to the first expression X that evaluates to FALSE. This function is the opposite of the case function.
| |
Conversion functions | printf("format",arguments)
|
Creates a formatted string based on a format description that you provide. |
tonumber(NUMSTR,BASE)
|
Converts a string to a number. | |
tostring(X,Y)
|
Converts the input, such as a number or a Boolean value, to a string. | |
Cryptographic functions | md5(X)
|
Computes the md5 hash for the value X. |
sha1(X)
|
Computes the secure hash of a string value X based on the FIPS compliant SHA-1 hash function. | |
sha256(X)
|
Computes the secure hash of a string value X based on the FIPS compliant SHA-256 hash function. | |
sha512(X)
|
Computes the secure hash of a string value X based on the FIPS compliant SHA-512 hash function. | |
Date and Time functions | now()
|
Returns the time that the search was started. |
relative_time(X,Y)
|
Adjusts the time by a relative time specifier. | |
strftime(X,Y)
|
Takes a UNIX time and renders it into a human readable format. | |
strptime(X,Y)
|
Takes a human readable time and renders it into UNIX time. | |
time()
|
The time that eval function was computed. The time will be different for each event, based on when the event was processed. | |
Informational functions | isbool(X)
|
Returns TRUE if the field value is Boolean. |
isint(X)
|
Returns TRUE if the field value is an integer. | |
isnotnull(X)
|
Returns TRUE if the field value is not NULL. | |
isnull(X)
|
Returns TRUE if the field value is NULL. | |
isnum(X)
|
Returns TRUE if the field value is a number. | |
isstr(X)
|
Returns TRUE if the field value is a string. | |
typeof(X)
|
Returns a string that indicates the field type, such as Number, String, Boolean, and so forth | |
Mathematical functions | abs(X)
|
Returns the absolute value. |
ceiling(X)
|
Rounds the value up to the next highest integer. | |
exact(X)
|
Returns the result of a numeric eval calculation with a larger amount of precision in the formatted output. | |
exp(X)
|
Returns the exponential function eX .
| |
floor(X)
|
Rounds the value down to the next lowest integer. | |
ln(X)
|
Returns the natural logarithm. | |
log(X,Y)
|
Returns the logarithm of X using Y as the base. If Y is omitted, base 10 is used. | |
pi()
|
Returns the constant pi to 11 digits of precision. | |
pow(X,Y)
|
Returns X to the power of Y, XY .
| |
round(X,Y)
|
Returns X rounded to the amount of decimal places specified by Y. The default is to round to an integer. | |
sigfig(X)
|
Rounds X to the appropriate number of significant figures. | |
sqrt(X)
|
Returns the square root of the value. | |
Multivalue eval functions | commands(X)
|
Returns a multivalued field that contains a list of the commands used in X. |
mvappend(X,...)
|
Returns a multivalue result based on all of values specified. | |
mvcount(MVFIELD)
|
Returns the count of the number of values in the specified field. | |
mvdedup(X)
|
Removes all of the duplicate values from a multivalue field. | |
mvfilter(X)
|
Filters a multivalue field based on an arbitrary Boolean expression X. | |
mvfind(MVFIELD,"REGEX")
|
Finds the index of a value in a multivalue field that matches the REGEX. | |
mvindex(MVFIELD,STARTINDEX,ENDINDEX)
|
Returns a set of values from a multivalue field described by STARTINDEX and ENDINDEX. | |
mvjoin(MVFIELD,STR)
|
Takes all of the values in a multivalue field and appends them together delimited by STR. | |
mvrange(X,Y,Z)
|
Creates a multivalue field with a range of numbers between X and Y, incrementing by Z. | |
mvsort(X)
|
Returns the values of a multivalue field sorted lexicographically. | |
mvzip(X,Y,"Z")
|
Takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. | |
split(X,"Y")
|
Returns a mv field splitting X by the delimited character Y. | |
Statistical eval functions | max(X,...)
|
Returns the maximum of the string or numeric values. |
min(X,...)
|
Returns the minimum of the string or numeric values. | |
random()
|
Returns a pseudo-random integer ranging from zero to 231-1. | |
Text functions | len(X)
|
Returns the count of the number of characters (not bytes) in the string. |
lower(X)
|
Converts the string to lowercase. | |
ltrim(X,Y)
|
Trims the characters represented in Y from the left side of the string. | |
replace(X,Y,Z)
|
Returns a string formed by substituting string Z for every occurrence of regex string Y in string X. | |
rtrim(X,Y)
|
Returns X with the characters in Y trimmed from the right side. | |
spath(X,Y)
|
Extracts a value from a structured data type (XML or JSON) in X based on a location path in Y. | |
substr(X,Y,Z)
|
Returns a substring from X based on the starting position Y and the length Z. | |
trim(X,Y)
|
Trims the characters represented in Y from both sides of the string X. | |
upper(X)
|
Returns the string in uppercase. | |
urldecode(X)
|
Replaces URL escaped characters with the original characters. | |
Trigonometry and Hyperbolic functions | acos(X)
|
Computes the arc cosine of X. |
acosh(X)
|
Computes the arc hyperbolic cosine of X. | |
asin(X)
|
Computes the arc sine of X. | |
asinh(X)
|
Computes the arc hyperbolic sine of X. | |
atan(X)
|
Computes the arc tangent of X. | |
atan2(X,Y)
|
Computes the arc tangent of X,Y. | |
atanh(X)
|
Computes the arc hyperbolic tangent of X. | |
cos(X)
|
Computes the cosine of an angle of X radians. | |
cosh(X)
|
Computes the hyperbolic cosine of X radians. | |
hypot(X,Y)
|
Computes the hypotenuse of a triangle. | |
sin(X)
|
Computes the sine of X. | |
sinh(X)
|
Computes the hyperbolic sine of X. | |
tan(X)
|
Computes the tangent of X. | |
tanh(X)
|
Computes the hyperbolic tangent of X. |
See also
Functions:
Statistical and charting functions
Commands:
eval
fieldformat
where
Splunk Answers
Have questions? Visit Splunk Answers and search for a specific function or command.
Splunk SPL for SQL users | Comparison and Conditional functions |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Feedback submitted, thanks!