Splunk Eval Commands With Examples | Free Guide Tutorial [ OverView ]

• In this article you will learn:
• 1.What is eval command in a Splunk?
• 2.What does a eval command do?
• 3.Ways to Use a eval Command in Splunk.
• 4.Other eval functions.
• 5.Conclusion.

What is eval command in a Splunk?

The eval command is a commonly used a command in a Splunk that calculates an expression and applies that value to brand new destination field.The eval command is one of the most powerful and widely used commands. However probably don’t know all the possibilities eval is capable of a performing.

Syntax:

What does a eval command do?

Essentially are creating a field in the Splunk where one doesn’t already exist. The primary benefit of an eval command is that it allows to see patterns in a data by putting a data into context. That context is created through different formulas that carry out a specific functions such as:

• Mathematical functions
• Comparison functions
• Conversion functions
• Multivalue functions
• Date and Time functions
• Text functions
• Informational functions

Each of functions above has its own list of an arguments-based functions but in this guide start with ways to use a some basic eval commands.

Ways to Use a eval Command in Splunk:

1. Use a eval command with the mathematical functions:

When call a field into an eval command, either create or manipulate that field for an example:

If “x” was not an already listed field in a data then have now created a new field and have given that field a value of 2. If “x” is a field within a data then have overwritten all the fields so that now x is a only 2. This is simplest way to use an eval list a field and give it a value.Although it is too simple to list here using eval to finish mathematical functions can be quite helpful when analyzing a lot of the data. can turn values into the percentages and even use a stats command to add additional context to a data.

2. Format time values with an eval command:

There are the couple of ways can work with a time using eval.The first is a formatting. Here’s an example If bringing in a time field but it’s written in an epoch time and can convert it into the readable time format:

The second is a stripping a time format and converting it to an epoch:

3. Compare time values with a eval:

Using “relative-time” can create the rolling time window:

This line will return the value that is exactly 1 month from now, the time period can be changed to be day, a week, 27 days, 4 years whatever heart desires. From here can use a where command to filter the results:

Because both of these time values are in an epoch can simply find results where time is be higher number than a month or in even simpler terms anything more recent than a one month.

4. Use If and Case with eval:

IF and CASE are in a same vein of comparison, however, CASE will allow for a more arguments. Let’s take quick look at these two:

Using IF:

Here’s breakdown when using a IF need to pass a three arguments:

The condition – this is usually if something equals to some value.

The result – if said field does equal are defined value then the test’s value is an argument.

The else – if said field does NOT equal are defined values then test’s value is an argument.

In this case if status are equals 200, then a text would say “Cool Beans.” If value of status is anything other than a 200 then text reads “No Bueno.”

Using CASE:

As stated earlier, CASE will allow us to the add more arguments.

As can see can apply a multiple conditions using case to get a more robust list of the descriptions.

5. Use lower/upper with eval:

Sometimes, text formatting in a data can be weird. Splunk says that when can search for a value it doesn’t need to be a case-sensitive but take that with the grain of salt. It’s also not true when comparing values from a various sources.Event Data – ID: 1234AbCD, Lookup – ID: 1234abcd .If trying to use a lookup command and join and get values in the coherent table of information, that’s not going to be happen. Why? Because of two values don’t match. Sure a numbers and letters are the same, but formatting is different. Splunk views that as are a roadblock. Need a quick fix? Here’s one that’s super simple and barely an inconvenience.

Lower and upper will allow to format a field value to make all the letters each lowercase or uppercase depending on which function can use. Finally make letters in an event data lowercase so that the lookup and indexed data can be communicate correctly.

Other eval functions:

Lower(x): Lower will take all values from a field and make them lowercase

Syntax:

Upper(X): Upper will do a same as lower but all the uppercase

Syntax:

Typeof(x): Typeof will create the field that will tell the data type of a field.

Syntax:

Round(X,Y): Round will take the numeric value and round it to the nearest explained a decimal place .

Syntax:

Mvjoin(x,y): This will take the field that has multiple values separated by space and add a delimiter making it single value .

Syntax:

Conclusion:

Eval is the very powerful command in Splunk that gives an insight into a data that just can’t be seen on the surface of monitoring console dashboards. Try out eval command on a next search and explore the possibilities .