Using `eval` to match all values (or existence) of...

flow2k · ‎03-09-2018

Often, we can use eval(myField=someValue)) with aggregate functions like count and avg, as well as time function like per_day, to process matching events. Is there a way for eval to match all values (or equivalently, the existence) of a field? This would be useful for searches like:
timechart per_second(eval(status>-9999))

I tried timechart per_second(eval(status=*)) to no avail.

elliotproebstel · ‎03-09-2018

You can use eval(isnotnull(status)) to test for the existence of a field.

tiagofbmm · ‎03-09-2018

Hi

I believe the following is what you are looking for.

index=_internal
| timechart count(eval(source like "%")) as src

Let me know please

flow2k · ‎03-09-2018

Thanks for the answer, but I believe the issue with using count instead of per_second (as in my original post) is that it depends on the span - I will get different answers if span=1h vs span=1min. Would you agree?

tiagofbmm · ‎03-09-2018

Sorry I tested count and only now tested per_second. The results are coherent though, any aggregation function works the same here.

Answering to your question, yes surely you'll get different results depending on your timespan, because granularity is changing. It is acceptable and somehow expected to produce different results

flow2k · ‎03-09-2018

Okay, I tried this and it works too. Why does this work - is there documentation on this syntax? Thanks!

tiagofbmm · ‎03-09-2018

This works because the eval functions the same way as the syntax of the where command. The "%" replaces the "*".

Feel free to accept the answer if you think it clarified your question

Using `eval` to match all values (or existence) of a field

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!