Creates a new field by evaluating the provided expression. The
eval string must always start with an assignment
(f=expr). The result is stored
in a field with that name.
In an expression, it is possible to
supply names of fields, strings and numbers.
The operators
available are ==,
!=, as well as
+,
-,
*, and
/ and parenthesized expressions.
eval() accepts multiple expressions to be
evaluated, separated by a comma, in the form of
field_name = expression.
Note
This function takes no parameters.
The following are all valid examples:
logscale
eval(a=3)
logscale
eval(a=b,x =y + z)
In the context of an eval() expression
— unlike filters — identifiers always denote field
values. For example:
logscale Syntax
eval(is_warning=(loglevel==WARN))
is most likely wrong; you want to write:
logscale Syntax
(loglevel=="WARN")
The order of evaluation of arguments is left to right.
The expression:
logscale Syntax
eval(f=expr)
only results in an assignment to
f when
expr yields a result —
which is not the case when a field in the expression does not
exist, or it's not a number.
This means that fields are not created if the source event is
missing a value.
If f already existed as a field
on the event and expr did not
yield any result, then f is
unchanged.
Click + next to an example below to get the full details.
Create New Fields
Create new fields by evaluating the provided expression using the eval() function
Query
logscale
eval(c=a+b)
Introduction
In this example, the eval() function is used
to add the fields a and
b together, creating a new
field c containing the
results.
Step-by-Step
Starting with the source repository events.
logscale
eval(c=a+b)
Adds the values of field a and
field b together and returns the
sum of these in a new field named
c.
Event Result set.
Summary and Results
The query is used to create a new field containing the sum of two other
fields. In case the field c
already existed, it would just be modified with the new value. The
eval() function is useful when testing and
debugging. You can for example use it to test a complex function or
expression with different inputs and quickly check the output in the
returned values.
Match Field to Timespan
Match a field to timespan using the eval() function with timeChart()
Query
logscale
timechart(method,span=5min)|eval(_count=_count/5)
Introduction
In this example, the eval() function is used
with timeChart() to match a field to the
timespan, dividing the count by 5 to convert from a 5 minute count
to a per-minute count.
Step-by-Step
Starting with the source repository events.
logscale
timechart(method,span=5min)
Creates a timechart based on the values of the
method field, and groups data into 5 minute buckets
(span=5min). By default, it counts events in each bucket and returns the
result in a field named _count.
logscale
|eval(_count=_count/5)
Divides the count by 5 to convert from a 5-minute count to a
per-minute count, and returns the new value in the
_count field.
This approach is useful when you want to display per-minute rates but
also want to benefit from the reduced data points and improved
performance of larger time buckets.
Event Result set.
Summary and Results
The query is used to match a field to a timespan. It summarizes the
count into 5 minutes blocks and then displays those using the
timeChart()timespan
parameter to display the value in those increments.
The eval() function then summarizes the values by
dividing the 5 minutes counts by 5 to provide a summarized value for
each 5 minutes timespan. You can, for example, use it to test a complex
function or expression with different inputs and quickly check the
output in the returned values.
Modify Existing Fields
Modify existing fields by evaluating the provided expression using the eval() function
Query
logscale
eval(responsesize=responsesize/ 1024)
Introduction
In this example, the eval() function is used to
show the responseSize field in
Kibibyte (KiB) instead of bytes.
Step-by-Step
Starting with the source repository events.
logscale
eval(responsesize=responsesize/ 1024)
Modifies the existing
responsesize field by, first,
dividing the current value of
responsesize by
1024, then assigning the returned results back to
the responsesize field.
Notice that the original value is overwritten. Any subsequent use of
the field responsesize in the
query will be working with the new value in kilobytes, not the
original value in bytes.
If you want to preserve the original value, consider creating a new
field instead: eval(responsesizeKB =
responsesize / 1024). This creates a new field
responsesizeKB while leaving
the values in the original field
responsesize unchanged.
Event Result set.
Summary and Results
The query is used to modify an existing field. In this example, it is
used to convert values from one size to another;
bytes to KiB. Converting values to
KiB is useful when working with binary systems. The
transformation is, for example, useful when dealing with network
traffic, file sizes, or any other data where you want to represent sizes
in a more readable format (KB instead of bytes).
It is also possible to use the unit:convert() for
converting units. For more information about supported units, see
unit:convert().
