Database Reference
In-Depth Information
Using the eval command
The eval command is one of the most useful Splunk search commands. Its usefulness is due
to the fact that it can be used to calculate almost any expression you can think of. There are
also numerous eval functions that can be used in conjunction with the command. A few of
them will be shown to you here, but there are many more in the Splunk documentation:
Eval function
Description
Example
Using pairs of arguments, X and Y, where X
is
TRUE
, return
Y
.
case(X, "Y",
. . .)
case(error == 404, "Not found", er-
ror == 200, "OK")
Gives the ceiling of a number.
ceil(X)
ceil(2.2)
If X is
TRUE
, result is
Y
. If X is
FALSE
, res-
ult is
Z
.
if(error ==404, "Not found",
"Found")
if(X,Y,Z)
Returns number of characters in the string
field.
len(X)
length(field)
lower(X), up-
per (X)
Returns lowercase, uppercase.
lower(username), upper(username)
Rounds X to Y decimal places. If no Y is
given, round to integer.
round(X,Y)
round (3.5)
