eval() Query Function

Creates a new field by evaluating the provided expression. The eval string must always start with an assignment (f=expr). The result is stored in a field with that name. In an expression, it’s possible to supply names of fields, strings and numbers. The operators available are ==, !=, as well as +, -, *, and /; and parenthesized expressions.

In context of an eval() expression—unlike filters—identifiers always denote field values. For example, eval( is_warning= (loglevel==WARN) ) is most likely wrong; you want to write (loglevel=="WARN"). The order of evaluation of arguments is left to right.

Parameters

Takes no parameters.

Examples

Get response size in KB

humio
eval(responsesize = responsesize / 1024)

Add fields together

humio
eval(c = a + b)

Match a field to the timespan. Count should be per minute (not 5 minutes as the bucket span is)

humio
timechart(method, span=5min) | eval(_count=_count/5)