peval

Description

Performs various operations on the data. It is based on internal storage mechanisms.

danger

Using peval in a query is allowed if it is preceded only by commands that also work with internal storage mechanisms. These include source and search. This condition must also be met for all subqueries in the query.

Syntax

 | peval <field>=<expression>["," <field>=<expression>]...

Parameter	Syntax	Description
`field`	`<string>`	Name of the field with the result of the operation.
`expression`	`<expression>`	The operation (computation) or a set of operations to be performed to create the new field.

Data Types

eval operates with the following basic data types and attempts to retain the original or assigned data type in the response:

string
numeric
boolean
null
multivalue

info

Multivalues represent arrays of values, where each element is a basic data type.

OpenSearch Specifics

Scripts in OpenSearch handle numeric field types or keyword types for text fields. For text fields, you need to append <field name>.keyword.
Regular expressions must be wrapped in the regex function to ensure proper OpenSearch script handling:
- Syntax: regex("<regular expression>")
Allows executing custom painless scripts during command execution using the _script function:
- Syntax: _script("<script>", (<arg_name>, <arg_value>)...) :::

Examples

Example #1
source nix_events-*
| search host="SPB-*"
| peval agent= agent.keyword + port
| search agent="*log*77"
| aggs values(per_number) by agent

peval

Description​

Syntax​

Data Types​

Examples​

Description

Syntax

Data Types

Examples