topic Re: eval used with stats command returns 1/0 instead of true/false in Splunk Search

eval used with stats command returns 1/0 instead of true/false

splunkuser1948 — Mon, 12 Apr 2021 10:13:34 GMT

According to the splunk doc , eval can be used within aggregate functions with stats command like:

index=main sourcetype="access_combined_wcookie"| stats count(eval(action = "purchase")) AS "Total purchases"

Now, I was of opinion that eval is used to create a search result field and looking at the query , it seems

eval(action = "purchase")

will create a field with true/false as value. But this is not the case. It actually creates a search field with value 1/0 which the count() function then counts.

This I did not found documented anywhere in eval splunk docs. Can some one help me point to resource where all such deviations for eval command from its normal behaviour are documented ? Are there more than this ?

Re: eval used with stats command returns 1/0 instead of true/false

bowesmana — Mon, 12 Apr 2021 11:25:16 GMT

In that link to the eval docs is the answer - see syntax/required arguments/expression it says

The result of an eval expression cannot be a Boolean.

It's normal behaviour is never to create a true/false field assignment.

Re: eval used with stats command returns 1/0 instead of true/false

splunkuser1948 — Mon, 12 Apr 2021 11:50:55 GMT

True but it does not mention anywhere that it will be 1/0.

Also, it just says that we cannot have
`eval some_field = (name=="some_value")`

but we can have `count(eval(name=="some_value"))`

This is not logical conclusion from - "The result of an eval expression cannot be a Boolean."