In the documentation of "eval" command is written:
"The result of an eval statement is not allowed to be boolean."
(http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Eval)
but each time we use:
chart count(eval( var1=="som")) by something
we are getting as result of eval some boolean which is not "allowed" by documentation. Did I misunderstand something here? Does eval return boolean or not ?
best regards,
Milan
eval
in general does not return Booleans. Using it within the count
function of chart
is a special case.
What exactly are you trying to do and what is the error message that you're seeing?
Note that you have to rename the eval expression for the chart command to return.
chart count(eval( var1=="som")) AS someName by something
eval
in general does not return Booleans. Using it within the count
function of chart
is a special case.
@ d
sorry I forget to put renaming. I am just trying to understand philosophy of SPLUNK, and its documentation. I have no error and this should help me to theoretically understand "eval" command.
@ aweitzman
yes I can see it is somehow special case but I am looking for documentation where is written otherwise. As far as I reported here "eval" does not return boolean. What does it then returns ? "count" works with fields so it seems it returns field, but which one ?
From what I can tell, Splunk can use Booleans for internal logic (such as with "if" and "case" functions within eval
, or as something to mark and count as with chart
), but it cannot return them, in the sense that you can't use the eval
statement to generate a field that holds a Boolean value.
The documentation is not inconsistent, but confusing. They are overloading the term eval
to be used in two different places, one as a standalone command, and one as a function that can be used as part of count
within the chart
command. In the first case, as it states, it cannot be used to create a field that holds a Boolean value. In the second case, it creates an internal Boolean state that can be counted into a field value. The documentation you are looking for isn't there because the documentation on the eval
command is unrelated to the documentation on the chart
command.
The answer to your question "count
works with fields so it seems it returns field, but which one?" is that it may seem to return a field, but it doesn't - it is only capable of creating an internal Boolean state that Splunk can count.