Skip to main content

Evaluating fields

The command eval can create new fields using existing fields and arbitrary expressions, manage existing fields, enrich events by adding new fields , and parse fields with multiple values. There is a similar command peval.

The difference between the eval and peval commands is that the peval command is executed using a built-in scripting language at the storage level. For example, if OpenSearch is used as a data store, the peval command will be run using the Painless scripting language. While the eval command is executed using the SAFL query language, regardless of the type of storage used.

The peval command can only be used after the commands source, search, and before the commands aggs and timeaggs.