Evaluating fields
The command eval
can create new fields using existing fields and arbitrary expressions, manage existing fields, enrich events by adding new fields , and parse fields with multiple values. There is a similar command peval
.
The difference between the eval
and peval
commands is that the peval
command is executed using a built-in scripting language at the storage level. For example, if OpenSearch is used as a data store, the peval
command will be run using the Painless scripting language. While the eval
command is executed using the SAFL
query language, regardless of the type of storage used.
The peval
command can only be used after the commands source
, search
, and before the commands aggs
and timeaggs
.