![]() From conditional functions-like if, case and match-to mathematical functions (round, square root) to date/time functions to cryptographic functions (MD5, SHA1, SHA256, SHA512) and so much more. Eval allows you to take search results and perform all sorts of, well, evaluations of the data. If I had to pick a couple of Splunk commands that I would want to be stuck on a desert island with, the eval command is up there right next to stats and sort. Today’s post will touch on another foundational capability within Splunk-the eval command. I hope you're all enjoying this series on Hunting with Splunk as much as we enjoy bringing it to you. The eval command is one of the most important commands at a Splunker's disposal so I hope everyone learns some hunting goodness! John Stoner has wanted to bring the power of eval to light for awhile. This is part eleven of the " Hunting with Splunk: The Basics" series. Instead of returning x as 1,000,000, the search returns x as $1,000,000. Using the previous example, you can include a currency symbol at the beginning of the string. Include a currency symbol when you convert a numeric field value to a string If the original value of x is 1000000, this search returns x as 1,000,000. In this example replaces the values in an existing field x instead of creating a new field for the converted values. Specify that the string value display with commas. Convert a numeric field value to a string and include commas in the outputĬonvert a numeric field value to a string. | eval full_name = last_name+", "+first_name, low_name = lower(full_name) 9. The low_name evaluation uses the lower function to convert the full_name evaluation into lowercase. In this example, there is a comma and space between the last_name field and the first_name field. In the following search the full_name evaluation uses the plus ( + ) sign to concatenate the values in the last_name field with the values in the first_name field. You can specify multiple eval operations by using a comma to separate the operations. Separate multiple eval operations with a comma Numbers are concatenated as strings and produces a string. The concatenation operator accepts both strings and numbers. | eval full_name = first_name+" "+last_name When concatenating, the values are read as strings, regardless of the actual value. Use quotation marks to insert a space character between the two names. Use the plus ( + ) sign to concatenate the values in first_name field with the values in the last_name field. | eval error_msg = case(error = 404, "Not found", error = 500, "Internal Server Error", error = 200, "OK") 7. Based on the HTTP error codes, a text interpretation of the HTTP error codes is stored in a new field called error_msg. This example uses the case function to evaluate the value of the HTTP error codes in the error field. Return a string value based on the value of a field | eval sum_of_areas = pi() * pow(radius_a, 2) + pi() * pow(radius_b, 2) 6. A new field called sum_of_areas is created to store the sum of the areas of the two circles. This example uses the pi and pow functions to calculate the area of two circles. Calculate the sum of the areas of two circles The lower function is used to populate the lowuser field with the lowercase version of the values in the user-name field. This example shows how to specify a field name that includes a dash. This includes the wildcard ( * ) character. When a field name contains anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character, you must enclose the name in single quotation marks. Specify field names that contain dashes or other characters Using the lower function, populate the field with the lowercase version of the values in the username field. Convert values to lowercaseĬreate a new field in each event called lowuser. | eval error = if(status = 200, "OK", "Problem") 3. ![]() Otherwise set the error field value to Problem. Using the if function, set the value in the error field to OK if the status value is 200. Use the if function to analyze field valuesĬreate a new field called error in each event. Calculate the speed by dividing the values in the distance field by the values in the time field. ![]() ![]() Create a new field that contains the result of a calculationĬreate a new field called speed in each event. See Quick Reference for SPL2 eval functions.ġ. Many of these examples use the evaluation functions. To learn more about the eval command, see How the eval command works. The following are examples for using the SPL2 eval command. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |