Splunk Cloud Platform

Search Manual

Use stats with eval expressions and functions

You can embed eval expressions and functions within any of the stats functions. This is a shorthand method for creating a search without using the eval command separately from the stats command.

For example, the following search uses the eval command to filter for a specific error code. Then the stats function is used to count the distinct IP addresses.

status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)

As an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. For example:

status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errors


Use eval expressions to count the different types of requests against each Web server

This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search.

Run the following search to use the stats command to determine the number of different page requests, GET and POST, that occurred for each Web server.

sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host

This example uses eval expressions to specify the different field values for the stats command to count.

  • The first clause uses the count() function to count the Web access events that contain the method field value GET. Then, using the AS keyword, the field that represents these results is renamed GET.
  • The second clause does the same for POST events.
  • The counts of both types of events are then separated by the web server, using the BY clause with the host field.

The results appear on the Statistics tab and look something like this:

host GET POST
www1 8431 5197
www2 8097 4815
www3 8338 4654


Use eval expressions to categorize and count fields

This example uses sample email data. You should be able to run this search on any email data by replacing the sourcetype=cisco:esa with the sourcetype value and the mailfrom field with email address field name in your data. For example, the email might be To, From, or Cc).

Find out how much of the email in your organization comes from .com, .net, .org or other top level domains.

The eval command in this search contains two expressions, separated by a comma.

sourcetype="cisco:esa" mailfrom=* | eval accountname=split(mailfrom,"@"), from_domain=mvindex(accountname,-1) | stats count(eval(match(from_domain, "[^\n\r\s]+\.com"))) AS ".com", count(eval(match(from_domain, "[^\n\r\s]+\.net"))) AS ".net", count(eval(match(from_domain, "[^\n\r\s]+\.org"))) AS ".org", count(eval(NOT match(from_domain, "[^\n\r\s]+\.(com|net|org)"))) AS "other"

  • The first part of this search uses the eval command to break up the email address in the mailfrom field. The from_domain is defined as the portion of the mailfrom field after the @ symbol.
    • The split() function is used to break the mailfrom field into a multivalue field called accountname. The first value of accountname is everything before the "@" symbol, and the second value is everything after.
    • The mvindex() function is used to set from_domain to the second value in the multivalue field accountname.
  • The results are then piped into the stats command. The stats count() function is used to count the results of the eval expression.
  • Theeval eexpression uses the match() function to compare the from_domain to a regular expression that looks for the different suffixes in the domain. If the value of from_domain matches the regular expression, the count is updated for each suffix, .com, .net, and .org. Other domain suffixes are counted as other.

The results appear on the Statistics tab and look something like this:

.com .net .org other
4246 9890 0 3543

See also

Commands
eval command in the Search Reference
Related information
Statistical and charting functions in the Search Reference
Evaluation functions in the Search Reference
About evaluating and manipulating fields
Last modified on 11 May, 2020
Use the stats command and functions   Add sparklines to search results

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters