Splunk Search

What is the eval command doing in this search?

Communicator

We use eval command to create new field, and we used this as function ex: |stats count(eval(method="GET")) as get. Can someone explain this example clearly? What is eval doing here?

1 Solution

SplunkTrust
SplunkTrust

count(eval()) is testing the boolean expression inside the eval() and only counting those events that yield true, ie those with method="GET".

View solution in original post

0 Karma

Ultra Champion

The manual explains it at Use stats with eval expressions and functions

One example there is -

status=404 | stats dc(eval(if(status=404, ip, NULL))) AS dc_ip

your method="GET" is a shortcut for the if(method="GET",1,0) command.

SplunkTrust
SplunkTrust

That's because in the first case, there's an eval() function to evaluate the if() expression, while in the second case there isn't.

eval(if(method="GET", 0, 1)) evaluates to 0 if the method is GET, to 1 otherwise.

0 Karma

SplunkTrust
SplunkTrust

eval(ip) evaluates the expression ip, so it returns ip.

0 Karma

Communicator

as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"

if(method="GET", 0 ,1) return 0 or 1

then dc(eval(0)) should be same as dc (0)

sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method

should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method

but not showing 0 results (last one)

0 Karma

Communicator

as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"

if(method="GET", 0 ,1) return 0 or 1

then dc(eval(0)) should be same as dc (0)

sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method

giving 2 as count

should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method

0 as count
but showing 0 results (last one)

0 Karma

SplunkTrust
SplunkTrust

| stats dc(eval(ip)) is the same as | stats dc(ip).

0 Karma

Communicator

what does eval(ip) return?

0 Karma

Communicator

|eval newitem=if(status=404, ip, null)
it returns "ip"
then we can use | stats dc(newItem).

what does eval do after returning an argument (ip). like |stats dc(eval(ip))

meaning of eval(ip) ?

0 Karma

SplunkTrust
SplunkTrust

count(eval()) is testing the boolean expression inside the eval() and only counting those events that yield true, ie those with method="GET".

View solution in original post

0 Karma