Use stats with eval expressions and functions
This topic discusses how to use eval expressions and functions within your stats calculation.
- For more information about the eval command and syntax, see the eval command in the Search Reference.
- For the list of eval functions, see Evaluation functions in the Search Reference.
- Also, you can read more about using the eval command to evaluate and manipulate fields in another section in this manual.
Example 1: Distinct counts of matching events
This example counts the IP addresses where the errors originate. This is similar to a search for events that is filtered for a specific error code, and then used with the stats command to count the IP addresses.
status=404 | stats dc(ip)
The best way to do this with an eval expression is:
status=404 | stats dc(eval(if(status=404, ip, NULL))) AS dc_ip
Example 2: Categorizing and counting fields
|This example uses sample email data. You should be able to run this search on any email data by replacing the |
Find out how much of the email in your organization comes from .com, .net, .org or other top level domains.
eval command in this search contains two expressions, separated by a comma.
| eval accountname=split(mailfrom,"@"), from_domain=mvindex(accountname,-1)
| stats count(eval(match(from_domain, "[^\n\r\s]+\.com"))) AS ".com",
count(eval(match(from_domain, "[^\n\r\s]+\.net"))) AS ".net",
count(eval(match(from_domain, "[^\n\r\s]+\.org"))) AS ".org",
count(eval(NOT match(from_domain, "[^\n\r\s]+\.(com|net|org)"))) AS "other"
- The first part of this search uses the
evalcommand to break up the email address in the
from_domainis defined as the portion of the
mailfromfield after the
split()function is used to break the
mailfromfield into a multivalue field called
accountname. The first value of
accountnameis everything before the "@" symbol, and the second value is everything after.
mvindex()function is used to set
from_domainto the second value in the multivalue field
- The results are then piped into the
count()function is used to count the results of the
match()function to compare the
from_domainto a regular expression that looks for the different suffixes in the domain. If the value of
from_domainmatches the regular expression, the
countis updated for each suffix,
.org. Other domain suffixes are counted as
The results appear on the Statistics tab and look something like this:
Use the stats command and functions
Add sparklines to search results
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.2.6, 7.0.2, 7.0.0, 7.0.3, 7.0.5, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4