In the documentation of "eval" command is written:
"The result of an eval statement is not allowed to be boolean."
but each time we use:
chart count(eval( var1=="som")) by something
we are getting as result of eval some boolean which is not "allowed" by documentation. Did I misunderstand something here? Does eval return boolean or not ?
What exactly are you trying to do and what is the error message that you're seeing?
Note that you have to rename the eval expression for the chart command to return.
chart count(eval( var1=="som")) AS someName by something
sorry I forget to put renaming. I am just trying to understand philosophy of SPLUNK, and its documentation. I have no error and this should help me to theoretically understand "eval" command.
yes I can see it is somehow special case but I am looking for documentation where is written otherwise. As far as I reported here "eval" does not return boolean. What does it then returns ? "count" works with fields so it seems it returns field, but which one ?
From what I can tell, Splunk can use Booleans for internal logic (such as with "if" and "case" functions within
eval, or as something to mark and count as with
chart), but it cannot return them, in the sense that you can't use the
eval statement to generate a field that holds a Boolean value.
The documentation is not inconsistent, but confusing. They are overloading the term
eval to be used in two different places, one as a standalone command, and one as a function that can be used as part of
count within the
chart command. In the first case, as it states, it cannot be used to create a field that holds a Boolean value. In the second case, it creates an internal Boolean state that can be counted into a field value. The documentation you are looking for isn't there because the documentation on the
eval command is unrelated to the documentation on the
The answer to your question "
count works with fields so it seems it returns field, but which one?" is that it may seem to return a field, but it doesn't - it is only capable of creating an internal Boolean state that Splunk can count.