O'Reilly logo

Splunk 7 Essentials - Third Edition by Betsy Page Sigman, Erickson Delgado, J-P Contreras

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Search command – eval

The eval command is perhaps the most advanced and powerful command in SPL. It allows you to store the resulting value of the eval operation in a field. A myriad of functions can be used with eval. Let us try some of the simpler and more common ones.

The simplest type of eval command performs a simple if/then/else condition and stores a value in the newly created field. For example, if you want to create counts of successful and unsuccessful requests, use http_status_code to determine whether the request is successful, and, if it is, count the transaction as successful:

SPL> index=main earliest=-1h latest=now | stats count(eval(if(http_status_code < "400", 1, NULL))) AS successful_requests count(eval(if(http_status_code ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required