Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"count" using "eval" not as described in documentation. Does eval return boolean results or not?

milande
Path Finder
‎01-20-2015 06:39 AM

In the documentation of "eval" command is written:

"The result of an eval statement is not allowed to be boolean."
(http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Eval)

but each time we use:
chart count(eval( var1=="som")) by something

we are getting as result of eval some boolean which is not "allowed" by documentation. Did I misunderstand something here? Does eval return boolean or not ?

best regards,
Milan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎01-20-2015 06:45 AM

eval in general does not return Booleans. Using it within the count function of chart is a special case.

View solution in original post

Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎01-20-2015 06:47 AM

What exactly are you trying to do and what is the error message that you're seeing?
Note that you have to rename the eval expression for the chart command to return.

chart count(eval( var1=="som")) AS someName by something
0 Karma
Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎01-20-2015 06:45 AM

eval in general does not return Booleans. Using it within the count function of chart is a special case.

Reply
Solved! Jump to solution

milande
Path Finder
‎01-20-2015 06:56 AM

@ d
sorry I forget to put renaming. I am just trying to understand philosophy of SPLUNK, and its documentation. I have no error and this should help me to theoretically understand "eval" command.

@ aweitzman
yes I can see it is somehow special case but I am looking for documentation where is written otherwise. As far as I reported here "eval" does not return boolean. What does it then returns ? "count" works with fields so it seems it returns field, but which one ?

0 Karma
Reply
Solved! Jump to solution

aweitzman
Motivator
‎01-20-2015 07:05 AM

From what I can tell, Splunk can use Booleans for internal logic (such as with "if" and "case" functions within eval, or as something to mark and count as with chart), but it cannot return them, in the sense that you can't use the eval statement to generate a field that holds a Boolean value.

The documentation is not inconsistent, but confusing. They are overloading the term eval to be used in two different places, one as a standalone command, and one as a function that can be used as part of count within the chart command. In the first case, as it states, it cannot be used to create a field that holds a Boolean value. In the second case, it creates an internal Boolean state that can be counted into a field value. The documentation you are looking for isn't there because the documentation on the eval command is unrelated to the documentation on the chart command.

The answer to your question "count works with fields so it seems it returns field, but which one?" is that it may seem to return a field, but it doesn't - it is only capable of creating an internal Boolean state that Splunk can count.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...