The eval command calculates an expression and puts the resulting value into a field (e.g. “…| eval force = mass * acceleration”). The following table lists the functions eval understands, in addition to basic arithmetic operators (+ – * / %), string concatenation (e.g., ‘…| eval name = last . “, ” . last’), boolean operations (AND OR NOT XOR < > <= >= != = == LIKE)
| Function | Description | Examples |
|---|---|---|
| abs(X) | Returns the absolute value of X. | abs(number) |
| case(X,”Y”,…) | Takes pairs of arguments X and Y, where X arguments are Boolean expressions that, when evaluated to TRUE, return the corresponding Y argument. | case(error == 404, "Not found", error == 500,"Internal Server Error", error == 200, "OK") |
| cidrmatch(“X”,Y) | Identifies IP addresses that belong to a particular subnet. | cidrmatch("123.132.32.0/25",ip) |
| ceil(X) | Ceiling of a number X. | ceil(1.9) |
| coalesce(X,…) | Returns the first value that is not null. | coalesce(null(), "Returned val", null()) |
| exact(X) | Evaluates an expression X using double precision floating point arithmetic. | exact(3.14*num) |
| exp(X) | Returns eX | exp(3) |
| floor(X) | Returns the floor of a number X | floor(1.9) |
| if(X,Y,Z) | If X evaluates to TRUE, the result is the second argument Y. If X evaluates to FALSE, the result evaluates to the third argument Z. | if(error==200, "OK", "Error") |
| isbool(X) | Returns TRUE if X is Boolean. | isbool(field) |
| isint(X) | Returns TRUE if X is an integer | isint(field) |
| isnotnull(X) | Returns TRUE if X is not NULL. | isnotnull(field) |
| isnull(X) | Returns TRUE if X is NULL | isnull(field) |
| isnum(X) | Returns TRUE if X is a number | isnum(field) |
| isstr() | Returns TRUE if X is a string. | isstr(field) |
| len(X) | This function returns the character length of a string X | len(field) |
| like(X,”Y”) | Returns TRUE if and only if X is like the SQLite pattern in Y. | like(field, "foo%") |
| ln(X) | Returns its natural log | ln(bytes) |
| log(X,Y) | Returns the log of the first argument X using the second argument Y as the base. Y defaults to 10. | log(number,2) |
| lower(X) | Returns the lowercase of X. | lower(username) |
| ltrim(X,Y) | Returns X with the characters in Y trimmed from the left side. Y defaults to spaces and tabs. | ltrim(" ZZZabcZZ ", " Z") |
| match(X,Y) | Returns if X matches the regex pattern Y | match(field, "^\d{1,3}\.\d$") |
| max(X,…) | Returns the max. | max(delay, mydelay) |
| md5(X) | Returns the MD5 hash of a string value X. | md5(field) |
| min(X,…) | Returns the min | min(delay, mydelay) |
| mvcount(X) | Returns the number of values of X | mvcount(multifield) |
| mvfilter(X) | Filters a multi-valued field based on the Boolean expression X. | mvfilter(match(email, "net$")) |
| mvindex(X,Y,Z) | Returns a subset of the multivalued field X from start position (zerobased) Y to Z (optional). | mvindex( multifield, 2) |
| mvjoin(X,Y) | Given a multi-valued field X and string delimiter Y, and joins the individual values of X using Y. | mvjoin(foo, ";") |
| now() | Returns the current time, represented in Unix time. | now() |
| null() | This function takes no arguments and returns NULL. | null() |
| nullif(X,Y) | Given two arguments, fields X and Y, and returns the X if the arguments are different; returns NULL, otherwise | nullif(fieldA, fieldB) |
| pi() | Returns the constant pi. | pi() |
| pow(X,Y) | Returns XY. | pow(2,10) |
| random() | Returns a pseudo-random number ranging from 0 to 2147483647 | random() |
| relative_time(X,Y) | Given epochtime time X and relative time specifier Y, returns the epochtime value of Y applied to X. | relative_time(now(),"-1d@d") |
| replace(X,Y,Z) | Returns a string formed by substituting string Z for every occurrence of regex string Y in string X. | Returns date with the month and day numbers switched, so if the input was 1/12/2009 the return value would be 12/1/2009: replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/") |
| round(X,Y) | Returns X rounded to the amount of decimal places specified by Y. The default is to round to an integer. | round(3.5) |
| rtrim(X,Y) | Returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are trimmed. | rtrim(" ZZZZabcZZ ", " Z") |
| searchmatch(X) | Returns true if the event matches the search string X | searchmatch("foo AND bar") |
| split(X,”Y”) | Returns X as a multi-valued field, split be delimiter Y. | split(foo, ";") |
| sqrt(X) | Returns the square root of X. | sqrt(9) |
| strftime(X,Y) | Returns epochtime value X rendered using the format specified by Y. | strftime(_time, "%H:%M") |
| strptime(X,Y) | Given a time represented by a string X, returns value parsed from format Y. | strptime(timeStr, "%H:%M") |
| substr(X,Y,Z) | Returns a substring field X from start position (1-based) Y for Z (optional) characters | substr("string", 1, 3)+substr("string", -3) |
| time() | Returns the wall-clock time with microsecond resolution. | time() |
| tonumber(X,Y) | Converts input string X to a number, where Y (optional, defaults to 10) defines the base of the number to convert to. | tonumber("0A4",16) |
| tostring(X,Y) | Returns a field value of X as a string. If the value of X is a number, it reformats it as a string; if a Boolean value, either "True" or "False". If X is a number, the second argument Y is optional and can either be "hex" (convert X to hexadecimal), "commas" (formats X with commas and 2 decimal places), or "duration" (converts seconds X to readable time format HH:MM:SS). | This example returns: foo=615 and foo2=00:10:15: … | eval foo=615 | eval foo2 = tostring(foo, "duration") |
| trim(X,Y) | Returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are trimmed. | trim(" ZZZZabcZZ ", " Z") |
| typeof(X) | Returns a string representation of its type. | This example returns: "NumberStringBoolInvalid": typeof(12)+ typeof("string")+typeof(1==2)+ typeof(badfield) |
| upper(X) | Returns the uppercase of X | upper(username) |
| urldecode(X) | Returns the URL X decoded. | urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader") |
| validate(X,Y,…) | Given pairs of arguments, Boolean expressions X and strings Y, returns the string Y corresponding to the first expression X that evaluates to False and defaults to NULL if all are True. | validate(isint(port), "ERROR: Port is not an integer", port >= 1 AND port <= 65535, "ERROR: Port is out of range") |