Splunk Search

What is the eval command doing in this search?

Communicator

We use eval command to create new field, and we used this as function ex: |stats count(eval(method="GET")) as get. Can someone explain this example clearly? What is eval doing here?

1 Solution

SplunkTrust
SplunkTrust

count(eval()) is testing the boolean expression inside the eval() and only counting those events that yield true, ie those with method="GET".

View solution in original post

0 Karma

Ultra Champion

The manual explains it at Use stats with eval expressions and functions

One example there is -

status=404 | stats dc(eval(if(status=404, ip, NULL))) AS dc_ip

your method="GET" is a shortcut for the if(method="GET",1,0) command.

SplunkTrust
SplunkTrust

That's because in the first case, there's an eval() function to evaluate the if() expression, while in the second case there isn't.

eval(if(method="GET", 0, 1)) evaluates to 0 if the method is GET, to 1 otherwise.

0 Karma

SplunkTrust
SplunkTrust

eval(ip) evaluates the expression ip, so it returns ip.

0 Karma

Communicator

as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"

if(method="GET", 0 ,1) return 0 or 1

then dc(eval(0)) should be same as dc (0)

sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method

should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method

but not showing 0 results (last one)

0 Karma

Communicator

as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"

if(method="GET", 0 ,1) return 0 or 1

then dc(eval(0)) should be same as dc (0)

sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method

giving 2 as count

should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method

0 as count
but showing 0 results (last one)

0 Karma

SplunkTrust
SplunkTrust

| stats dc(eval(ip)) is the same as | stats dc(ip).

0 Karma

Communicator

what does eval(ip) return?

0 Karma

Communicator

|eval newitem=if(status=404, ip, null)
it returns "ip"
then we can use | stats dc(newItem).

what does eval do after returning an argument (ip). like |stats dc(eval(ip))

meaning of eval(ip) ?

0 Karma

SplunkTrust
SplunkTrust

count(eval()) is testing the boolean expression inside the eval() and only counting those events that yield true, ie those with method="GET".

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!