Splunk Search

eval used with stats command returns 1/0 instead of true/false

splunkuser1948
Engager

According to the splunk doc , eval can be used within aggregate functions with stats command like:

 

index=main sourcetype="access_combined_wcookie"| stats count(eval(action = "purchase")) AS "Total purchases"

 

Now, I was of opinion that eval is used to create a search result field and looking at the query , it seems 

 

eval(action = "purchase")

 

 

will create a field with true/false as value. But this is not the case. It actually creates a search field with value 1/0 which the count() function then counts.

This I did not found documented anywhere in eval splunk docs. Can some one help me point to resource where all such deviations for eval command from its normal behaviour are documented ? Are there more than this ?

Labels (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

In that link to the eval docs is the answer - see syntax/required arguments/expression it says

The result of an eval expression cannot be a Boolean.

It's normal behaviour is never to create a true/false field assignment.

0 Karma

splunkuser1948
Engager

True but it does not mention anywhere that it will be 1/0.

Also, it just says that we cannot have
`eval some_field = (name=="some_value")`

but we can have `count(eval(name=="some_value"))`

This is not logical conclusion from - "The result of an eval expression cannot be a Boolean."

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...