Re: eval used with stats command returns 1/0 inste...

splunkuser1948 · ‎04-12-2021

According to the splunk doc , eval can be used within aggregate functions with stats command like:

index=main sourcetype="access_combined_wcookie"| stats count(eval(action = "purchase")) AS "Total purchases"

Now, I was of opinion that eval is used to create a search result field and looking at the query , it seems

eval(action = "purchase")

will create a field with true/false as value. But this is not the case. It actually creates a search field with value 1/0 which the count() function then counts.

This I did not found documented anywhere in eval splunk docs. Can some one help me point to resource where all such deviations for eval command from its normal behaviour are documented ? Are there more than this ?

bowesmana · ‎04-12-2021

In that link to the eval docs is the answer - see syntax/required arguments/expression it says

The result of an eval expression cannot be a Boolean.

It's normal behaviour is never to create a true/false field assignment.

splunkuser1948 · ‎04-12-2021

True but it does not mention anywhere that it will be 1/0.

Also, it just says that we cannot have
`eval some_field = (name=="some_value")`

but we can have `count(eval(name=="some_value"))`

This is not logical conclusion from - "The result of an eval expression cannot be a Boolean."

eval used with stats command returns 1/0 instead of true/false

eval

stats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?