eval
Description
Performs various operations on the data.
Syntax
| eval <field>=<expression>["," <field>=<expression>]...
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
field | <string> | Name of the field with the result of the operation. |
expression | <expression> | Operation (calculation) or a set of operations (calculations) to be performed for the new field. |
Data Types
eval operates with the following basic data types and attempts to retain the original or assigned data type in the output:
stringnumericbooleannullmultivalue
multivalue represents arrays of values, where each element is one of the basic data types.
Query examples
Example 1
Creating a field to classify the operation status based on the error code.
In this example, the system performs a conditional check on the errNo field for a match. If the condition is met, it returns the value OK; otherwise, it returns NOTOK.
source nix_events-* | eval res = if(errNo == -1, "OK", "NOTOK")
The query execution result may be the following table:
| errNo | res | status |
|---|---|---|
| -1 | OK | Integer |
| "-1" | OK | String |
| 200 | NOTOK | Integer |
| null | NOTOK | null |
Example 2
In this example, the case command classifies orders based on the value of the total_price field and saves the result in status.
... | eval status = case(total_price > 3000, "High", total_price > 2000, "Medium", true(), "Low")
The query execution result may be the following table:
| user | total_price | status |
|---|---|---|
| user1 | 4100 | High |
| user2 | 2315 | Medium |
| user3 | 828 | Low |
Example 3
In this example, the system classifies events based on the presence of the pattern "accounting" in the event.action field. It creates a new field action_type, which takes the value "account" if the substring is found, or auth" otherwise.
... | eval action_type = if(like(event.action, "%accounting%"), "account", "auth")
The query execution result may be the following table:
| host.name | event.action | action_type |
|---|---|---|
| SPB | Special login | auth |
| MSK | System login | auth |
| VLG | Account management | account |
Example 4
In this example, the system counts the number of items in the items field for each record in the dataset.
... | eval total_count = mvcount(items)
The query execution result may be the following table:
| user | total_price | items | total_count |
|---|---|---|---|
| user1 | 4100 | [ "Gyro", "Chicken nuggets" ] | 2 |
| user2 | 2315 | [ "Hot dog", "Sweet potato fries", "Caprese salad", "Asian salad", "Fried tilapia fillet", "Crab cakes", "Pepper sausages", "Chicken tacos", "Chicken rice soup" ] | 9 |
| user3 | 828 | [ "Pulled pork sandwich", "Pancakes", "Reuben sandwich" ] | 3 |
Example 5
Calculating the percentage of successful operations based on the error count and the total number of operations for each host. The round function limits the result of the successful operation share calculation to two decimal places. The result is written to a new field success_rate.
... | eval success_rate = round(((total_ops - error_count) / total_ops) * 100, 2)
The query execution result may be the following table:
| host | total_ops | error_count | success_rate |
|---|---|---|---|
| server1 | 1000 | 50 | 95.00 |
| server2 | 800 | 20 | 97.50 |
| server3 | 1200 | 120 | 90.00 |
Example 6
This example creates a user identifier in email format based on the user.name and host.name fields. The trim function removes the $SRV characters from both sides of the user.name string. The replace function uses a regular expression where the first group captures the initial part of the name, and the second captures the uppercase letters at the end. The replacement pattern $1.$2 adds a dot between the groups. The lower function converts the result to lowercase, after which the string is concatenated with @ and the value of host.name.
... | eval email = lower(replace(trim(user.name, "$SRV"), "^([a-zA-Z]+)([A-Z]+)([A-Z]+)$", "$1.$2$3")) + "@" + host.name
The query execution result may be the following table:
| user.name | host.name | |
|---|---|---|
| SmithAG$SRV | server.local | smith.ag@server.local |
| TaylorSI$SRV | server.local | taylor.si@server.local |
| JonesMN$SRV | server.local | jones.mn@server.local |
Example 7
Calculating the total area of two circles based on their radii.
The pi() function returns the value of pi, and the pow() function squares the radius value. The result of summing the areas is written to a new field total_area.
... | eval total_area = pi() * pow(radius_a, 2) + pi() * pow(radius_b, 2)
The query execution result may be the following table:
| radius_a | radius_b | total_area |
|---|---|---|
| 3.0 | 4.0 | 78.53981634 |
| 2.5 | 2.5 | 110.83572895 |
| 5.0 | 3.5 | 39.26990817 |