Creates a new field by evaluating the provided expression. The
eval string must always start with an assignment
(f=expr
). The result is stored
in a field with that name.
In an expression, it is possible to supply names of fields, strings and numbers.
The operators
available are ==
,
!=
, as well as
+
,
-
,
*
, and
/
and parenthesized expressions.
eval()
accepts multiple expressions to be
evaluated, separated by a comma, in the form of
field_name = expression
.
Note
This function takes no parameters.
The following are all valid examples:
eval(a = 3)
eval(a = b, x = y + z)
In the context of an eval()
expression
— unlike filters — identifiers always denote field
values. For example:
eval( is_warning= (loglevel==WARN) )
is most likely wrong; you want to write:
(loglevel=="WARN")
The order of evaluation of arguments is left to right.
The expression:
eval(f=expr)
only results in an assignment to
f
when
expr
yields a result —
which is not the case when a field in the expression does not
exist, or it's not a number.
This means that fields are not created if the source event is missing a value.
If f
already existed as a field
on the event and expr
did not
yield any result, then f
is
unchanged.
eval()
Examples
Click
next to an example below to get the full details.Create New Fields
Create new fields by evaluating the provided expression using the eval()
function
Query
eval(c = a + b)
Introduction
In this example, the eval()
function is used
to add the fields a and
b together, creating a new
field c containing the
results.
Step-by-Step
Starting with the source repository events.
- logscale
eval(c = a + b)
Adds the values of field a and field b together and returns the sum of these in a new field named c.
Event Result set.
Summary and Results
The query is used to create a new field containing the sum of two other
fields. In case the field c
already existed, it would just be modified with the new value. The
eval()
function is useful when testing and
debugging. You can for example use it to test a complex function or
expression with different inputs and quickly check the output in the
returned values.
Match Field to Timespan
Match a field to timespan using the eval()
function with timeChart()
Query
timechart(method, span=5min)
| eval(_count=_count/5)
Introduction
In this example, the eval()
function is used
with timeChart()
to match a field to the
timespan, dividing the count by 5 to convert from a 5 minute count
to a per-minute count.
Step-by-Step
Starting with the source repository events.
- logscale
timechart(method, span=5min)
Creates a timechart based on the values of the method field, and groups data into 5 minute buckets (span=5min). By default, it counts events in each bucket and returns the result in a field named _count.
- logscale
| eval(_count=_count/5)
Divides the count by 5 to convert from a 5-minute count to a per-minute count, and returns the new value in the _count field.
This approach is useful when you want to display per-minute rates but also want to benefit from the reduced data points and improved performance of larger time buckets.
Event Result set.
Summary and Results
The query is used to match a field to a timespan. It summarizes the
count into 5 minutes blocks and then displays those using the
timeChart()
timespan
parameter to display the value in those increments.
The eval()
function then summarizes the values by
dividing the 5 minutes counts by 5 to provide a summarized value for
each 5 minutes timespan. You can, for example, use it to test a complex
function or expression with different inputs and quickly check the
output in the returned values.
Modify Existing Fields
Modify existing fields by evaluating the provided expression using the eval()
function
Query
eval(responsesize = responsesize / 1024)
Introduction
In this example, the eval()
function is used to
show the responseSize field in
Kibibyte (KiB) instead of bytes.
Step-by-Step
Starting with the source repository events.
- logscale
eval(responsesize = responsesize / 1024)
Modifies the existing responsesize field by, first, dividing the current value of responsesize by
1024
, then assigning the returned results back to the responsesize field.Notice that the original value is overwritten. Any subsequent use of the field responsesize in the query will be working with the new value in kilobytes, not the original value in bytes.
If you want to preserve the original value, consider creating a new field instead:
eval(responsesizeKB = responsesize / 1024)
. This creates a new field responsesizeKB while leaving the values in the original field responsesize unchanged. Event Result set.
Summary and Results
The query is used to modify an existing field. In this example, it is
used to convert values from one size to another;
bytes
to KiB
. Converting values to
KiB
is useful when working with binary systems. The
transformation is, for example, useful when dealing with network
traffic, file sizes, or any other data where you want to represent sizes
in a more readable format (KB instead of bytes).
It is also possible to use the unit:convert()
for
converting units. For more information about supported units, see
unit:convert()
.