Add an eval expression field
You can add eval expression fields to any dataset in your data model. Use eval expressions to create fields and add them to events in a manner similar to that of calculated fields.
- In the Data Model Editor, open the dataset that you would like to add a field to.
- Click Add Field. Select Eval Expression to define an eval expression field.
- The Add Fields with an Eval Expression dialog appears.
- Enter the Eval Expression that defines the field value.
- The Eval Expression text area should just contain the
<eval-expression>
portion of theeval
syntax. There's no need to type the full syntax used in Search (eval <eval-field>=<eval-expression>
).
- The Eval Expression text area should just contain the
- Under Field enter the Field Name and Display Name.
- The Field Name is the name in your dataset. The Display Name is the field name that your Pivot users see when they create pivots. Note: The Field Name cannot include whitespace, single quotes, double quotes, curly braces, or asterisks. The field Display Name cannot contain asterisks.
- Define the field Type and set its Flag.
- For more information about the Flag values, see the subsection on marking fields as hidden or required in Define dataset fields
- (Optional) Click Preview to verify that the eval expression is working as expected.
- You should see events in table format with the new eval field(s) included as columns. For example, if you're working with an event-based dataset and you've added an eval field named gb, the preview event table should show a column labeled gb to the right of the first column (_time).
- The preview pane has two tabs. Events is the default tab. It presents the events in table format. The new eval field should appear to the right of the first column (the
_time
column).
- If you do not see values in this column, or you see the same value repeated in the events at the top of the list, it could mean that more values appear later in the sample. Select the Values tab to review the distribution of eval field values among the selected event sample. You can also change the Sample value to increase the number of events in the preview sample--this can sometimes uncover especially rare values of the field created by the eval expression.
- In the example below, the three real-time searches only appeared in the value distribution when Sample was expanded from First 1,000 events to First 10,000 events.
- Click Save to save your changes and return to the Data Model Editor.
For more information about the eval
command and the formatting of eval expressions, see the eval
page as well as the topic Evaluation functions in the Search Reference.
Eval expressions can utilize fields that have already been defined or calculated, which means you can chain fields together. Fields are processed in the order that they are listed from top to bottom. This means that you must place prerequisite fields above the eval expression fields that uses those fields in its eval expression. In other words, if you have a calculation B that depends on another calculation A, make sure that calculation A comes before calculation B in the field order. For more information see the subsection on field order and chaining in Define dataset fields.
You can use fields of any type in an eval expression field definition. For example, you could create an eval expression field that uses an auto-extracted field and another eval expression field in its eval expression. It will work as long as those fields are listed above the one you're creating.
When you create an eval expression field that uses the values of other fields in its definition, you can optionally "hide" those other fields by setting their Flag to Hidden. This ensures that only the final eval expression value is available to your Pivot users.
Add an auto-extracted field | Add a lookup field |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!