According to the splunk doc , eval can be used within aggregate functions with stats command like:
index=main sourcetype="access_combined_wcookie"| stats count(eval(action = "purchase")) AS "Total purchases"
Now, I was of opinion that eval is used to create a search result field and looking at the query , it seems
eval(action = "purchase")
will create a field with true/false as value. But this is not the case. It actually creates a search field with value 1/0 which the count() function then counts.
This I did not found documented anywhere in eval splunk docs. Can some one help me point to resource where all such deviations for eval command from its normal behaviour are documented ? Are there more than this ?