Search command - eval
The eval
command is perhaps the most advanced and powerful command in SPL. It allows you to store the resulting value of the eval
operation in a field. A myriad of functions available today can be used with eval
. Let us try some of the simpler and more common ones.
The simplest type of eval
command performs a simple calculation and stores it in the newly created field. For example, if you want to create the new_salary
field, which adds together old_salary
plus a field named raise
, it would look like this (but don't try this, as there are no such fields in our data):
SPL> eval new_salary = old_salary + raise
There are also countless functions that can be used effectively with eval
. Later we discuss some of them:
SPL> round(X, ...
Get Splunk: Enterprise Operational Intelligence Delivered now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.