I have some hosts that follow naming conventions and I want to create and set another field based upon those naming conventions. How would I do that? For example, some of these hosts have "MMK" in them, and others have "RTP". I want to check for those values, and if they exists, set another field "location" to a literal string value representing those locations. Eval? Where?
You could use either eval or rex to do this. As others have already provided you with the answer for using an eval, a regular expression query would look like this:
Base Search | rex field=hosts "(?<location>MMK|RTP).*"
The regular expression can be tidied up a bit more if you gave an example of your events.
You are on the right track;
eval can do what you need, like this
yoursearchhere | eval location=case(host LIKE "%MMK%","MMK", host LIKE "%RTP%", "RTP", 1==1, "Other") | stats count by location
I used the case function, but there are other ways to do this as well.
You might also consider a lookup table, which could provide more information about your hosts:
Here is a tutorial on lookup tables.