Splunk Search

eval used with stats command returns 1/0 instead of true/false


According to the splunk doc , eval can be used within aggregate functions with stats command like:


index=main sourcetype="access_combined_wcookie"| stats count(eval(action = "purchase")) AS "Total purchases"


Now, I was of opinion that eval is used to create a search result field and looking at the query , it seems 


eval(action = "purchase")



will create a field with true/false as value. But this is not the case. It actually creates a search field with value 1/0 which the count() function then counts.

This I did not found documented anywhere in eval splunk docs. Can some one help me point to resource where all such deviations for eval command from its normal behaviour are documented ? Are there more than this ?

Labels (2)
0 Karma


In that link to the eval docs is the answer - see syntax/required arguments/expression it says

The result of an eval expression cannot be a Boolean.

It's normal behaviour is never to create a true/false field assignment.

0 Karma


True but it does not mention anywhere that it will be 1/0.

Also, it just says that we cannot have
`eval some_field = (name=="some_value")`

but we can have `count(eval(name=="some_value"))`

This is not logical conclusion from - "The result of an eval expression cannot be a Boolean."

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...