About evaluating and manipulating fields
This section discusses the search commands that enable you to evaluate new fields, manipulate existing fields, enrich events by adding new fields, and parse fields with multiple values.
- At the core of evaluating new fields is the
evalcommand and its functions. Unlike the
statscommand, which enables you to calculate statistics based on fields in your events, the
evalcommand enables you to create new fields using existing fields and an arbitrary expression. The
evalcommand has many functions. See Use the eval command and functions.
- You can easily enrich your data with more information at search time. See Use lookup to add fields from external lookup tables.
- You can use the Splunk SPL (search processing language) to extract fields in different ways using a variety of search commands.
- Your events might contain fields with more than one value. There are search commands and functions that work with multivalue fields. See Manipulate and evaluate fields with multiple values.
How to restrict usage of real-time search
Use the eval command and functions
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105