eval

The eval command is very flexible, and allows for a wide range of operations to be performed on field values. It can be used to perform mathematical calculations, string manipulation, and more.

Syntax

The eval command accepts arguments with the following structure:

new_field=<expression>

The can be multiple arguments for a given eval command, separated by spaces. The expressions will be evaluated in left-to-right order and subseuqent expressions may refer to fields created by previous expressions.

There are a wide range of functions that can be used within the expression. These include:

  • conditionals - Control flow based on conditions
  • encoding - Functions for encoding and decoding data
  • maths - Mathematical operations
  • text - String manipulation functions
  • multivalue - Functions for working with multivalued fields
  • cryptography - Cryptographic functions such as hashing operations
  • time - Functions for working with time and dates

As well as the subcommands above, there are also primitive expressions field and literal that can be used to refer to existing fields or literal values respectively.

Eval subcommands that accept arguments can be arbitarily nested, allowing for complex expressions to be built up.

Example

Create a new field foo with the literal value of bar on all events:

| eval foo="bar"

Create a new field baz with the value of whatever the foo field contains on all events:

| eval baz=foo

For an example of using conditionals - take the following search which returns ssh logins from multiple indices:

| select systemd(accepted ssh) syslog(accepted sshd)

The systemd index use capitals for field names while the syslog index uses lowercase. We can use eval to create a consistent set of fields across both indices that we can then extract fields from:

| select systemd(accepted ssh) syslog(accepted sshd)
| eval message=if(MESSAGE=*, MESSAGE, message)
| extract message=/^\w+\s(?<auth_method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/

An example of using nested subcommands to create a new field host from a field fqdn containing the value: hostname.subdomain.domain.tld:

| eval host=mvindex(split(fqdn, "."), 0)

This command splits the fqdn field on each period character and then extracts the first element of that array (the hostname). The result is a new field called host with the value of hostname.