Skip to main content
Version: 5.2

peval

Description

Performs various operations on the data. It is based on internal storage mechanisms.

danger

Using peval in a query is allowed if it is preceded only by commands that also work with internal storage mechanisms. These include source, inputlookup and search. This condition must also be met for all subqueries in the query.

Syntax

 | peval <field>=<expression>["," <field>=<expression>]...
ParameterSyntaxDescription
field<string>Name of the field with the result of the operation.
expression<expression>The operation (computation) or a set of operations to be performed to create the new field.

Supported expression Operations

Operation TypeSyntaxDescription
Arithmetic Operations(+|-|*|/)Arithmetic operations are applied to numeric fields of numeric type.
Logical Operations(==|!=|>|>=|<|<=)
(AND|OR|NOT)		Logical operations include comparisons and logical operators that return boolean values.
Conditional Operationscidrmatch
coalesce
like
nullif
case
if
validate		Conditional operations provide additional capabilities for data processing.
Mathematical Operationsabs
ceil
exact
exp
floor
ln
log
pi
pow
round
sigfig
sqrt
Mathematical operations with numerical values for various computations.
Time Operationsnow
strftime
strptime		Time operations related to processing, managing, or analyzing data within a time interval.
Data Type Identification Operationsisbool
isint
isnotnull
isnull
isnum
isstr
typeof		Operations where the system or program evaluates the data type of a variable, object, or expression.
Data Conversion Operationsprintf
tobool
tonumber
tostring		These are processes of converting data into different types.
Statistical Operationsmax
min		These are operations that are defined for an object or type of objects but are not executed for an instance of an object.
Text Operationslen
lower
ltrim
replace
rtrim
substr
trim
upper		These are sets of actions performed to analyze, transform, format, store, or process textual data.
Multivalue Operationsmvappend
mvcount
mvdedup
mvjoin
mvrange
mvsort
mvzip
split		Operations designed for working with multivalue fields or creating and processing such arrays.
Regular ExpressionsregexRegular expression search operations.
Painless Scripts_scriptOperations described in the Painless scripting language.

Data Types

Peval operates with the following basic data types and attempts to retain the original or assigned data type in the response:

  • string
  • numeric
  • boolean
  • null
  • multivalue
info

Multivalues represent arrays of values, where each element is a basic data type.

OpenSearch Specifics
  • Scripts in OpenSearch handle numeric field types or keyword types for text fields. For text fields, you need to append <field name>.keyword
  • Regular expressions must be wrapped in the regex function to ensure proper OpenSearch script handling:
    • Syntax: regex("<regular expression>")
  • Allows executing custom painless scripts during command execution using the _script function:
    • Syntax: _script("<script>", (<arg_name>, <arg_value>)...)

Query Examples

Example 1

Concatenating fields with a string separator.

Example №1
source nix_events-*
| search host="SIN-*"
| peval agent= agent + ":" + port
| search agent="*log*77"
| aggs values(per_number) by agent

In this example, the system filters events where host has the prefix SIN-*. A new field agent is then created by concatenating the string values of agent and port with a : separator. The query then selects events where the agent field contains the substring log and ends with 77. Finally, an aggregation is performed to sum the values of the per_number field for each unique agent.

Sample input data:

hostagentportper_number
SIN-WS-01nginx-log77smith
SIN-WS-02nginx-log77dawson
DXB-DB-02syslog53363smith
SIN-DB-03syslog57177wright
SIN-WS-03nginx-error77wright

The query execution result may be the following table:

agentvalues (per_number)
nginx-log:77smith
dawson
syslog:57177wright

Example 2

Calculating the difference between numeric fields.

Example №2
... | peval temp_diff=ups_adv_battery_temperature - env_temperature
| where temp_diff > 10

In this example, the command calculates the difference between the numeric fields ups_adv_battery_temperature and env_temperature, writing the result to temp_diff. The where filter retains events where the difference exceeds 10 degrees.

Sample input data:

ups_adv_battery_temperatureenv_temperature
3520
3022
2825

The query execution result may be the following table:

ups_adv_battery_temperatureenv_temperatureups_adv_battery_temperature
352015
30228

Example 3

Classifying based on the value of a numeric field using Painless scripts.

Example №3
... | peval res=_script("if (doc['total_price'].value < 1000 ) { return 'low'; } else if (doc['total_price'].value < 2000) { return 'medium'; } else { return 'high'; }", (total_price, total_price))

In this example, the command classifies orders by the value of the numeric field total_price via doc['total_price'].value as low (less than 1000), medium (from 1000 to 1999), or high (2000 and above) using a Painless script with the _script function.

The query execution result may be the following table:

user_iditems_quantityoperation_statustotal_priceres
13success1815medium
27success4073high
310success5520high
41success599low

Example 4

Determining the status level based on the error count and threshold value for each document using the calcStatusByErrors script.

... | peval level=calcStatusByErrors(errorCount, 3)

The query execution result may be the following table:

errorCountlevelservice
3warningauth
0okcache
10criticalsearch
5criticalbilling

Example 5

Creating an array of statuses using multivalue operations:

Example №4
| peval status_list=mvappend(case(http.response.status_code == 200, "OK", http.response.status_code == 404, "Not Found", "Error"), tostring(http.response.status_code))

In this example, the system processes numeric HTTP statuses http.response.status_code into an array status_list containing a textual description and the original code as a string.

The query execution result may be the following table:

source.addressdestination.addresshttp.request.methodhttp.request.statusstatus_list
172.24.76.116192.168.12.17GET200OK
200
172.23.10.193192.168.12.98GET404Not Found
404
172.27.99.179192.168.12.1GET403Error
403

Example 6

Extracting a text value from the host.name field and converting its first part to lowercase.

Example №5
... | peval hn=lower(mvindex(split(host.name, "."), 0))

In this example, the split function divides the string host.name into a multivalue field hn using the . delimiter, and the mvindex function extracts the element at index 0 from this field. The lower function then converts this element to lowercase.

The query execution result may be the following table:

useractionhosthnhn (without function mvindex)
smithadded-user-accountWS-01.work.localws-01ws-01
local
work
holmeschanged-passwordWS-02.work.localws-02ws-01
local
work
wrightremoved-member-from-groupWS-03.work.localws-03ws-01
local
work

Example 7

Creating a field to classify events based on HTTP response status:

Example №6
source web_indexes
| peval name=if(isnull(user.name), "None", user.name)

In this example, the if function checks the condition isnull (user.name), returning true if the field contains an empty value. If the condition is true, the string None is written to the name field; if false, the original value from user.name is written.

The query execution result may be the following table:

sourcedestinationpathstatususeruser (before the expression if)
172.26.0.240192.168.12.100/veil.jpg200SmithSmith
172.26.0.241192.168.12.101/number/seashore404Nonenull
172.26.0.242192.168.12.102/advice403Nonenull
172.26.0.243192.168.12.103/walk/stove200HolmesHolmes