Creates a new field by evaluating the provided expression. The eval string must always start with an assignment (f=expr). The result is stored in a field with that name. In an expression, it’s possible to supply names of fields, strings and numbers. The operators available are
!=, as well as
/; and parenthesized expressions.
In context of an
eval() expression—unlike filters—identifiers always denote field values. For example,
eval( is_warning= (loglevel==WARN) ) is most likely wrong; you want to write
(loglevel=="WARN"). The order of evaluation of arguments is left to right.
Takes no parameters.
Get response size in KB
eval(responsesize = responsesize / 1024)
Add fields together
eval(c = a + b)
Match a field to the timespan. Count should be per minute (not 5 minutes as the bucket span is)
timechart(method, span=5min) | eval(_count=_count/5)