eval
The eval
command is very flexible, and allows for a wide range of operations to be performed on field values. It can be used to perform mathematical calculations, string manipulation, and more.
Syntax
The eval
command accepts arguments with the following structure:
new_field=<expression>
The can be multiple arguments for a given eval command, separated by spaces. The expressions will be evaluated in left-to-right order and subseuqent expressions may refer to fields created by previous expressions.
There are a wide range of functions that can be used within the expression. These include:
- conditionals - Control flow based on conditions
- encoding - Functions for encoding and decoding data
- maths - Mathematical operations
- text - String manipulation functions
- multivalue - Functions for working with multivalued fields
- cryptography - Cryptographic functions such as hashing operations
- time - Functions for working with time and dates
As well as the subcommands above, there are also primitive expressions field
and literal
that can be used to refer to existing fields or literal values respectively.
Eval subcommands that accept arguments can be arbitarily nested, allowing for complex expressions to be built up.
Example
Create a new field foo
with the literal
value of bar
on all events:
| eval foo="bar"
Create a new field baz
with the value of whatever the foo
field contains on all events:
| eval baz=foo
For an example of using conditionals - take the following search which returns ssh logins from multiple indices:
| select systemd(accepted ssh) syslog(accepted sshd)
The systemd
index use capitals for field names while the syslog
index uses lowercase. We can use eval to create a consistent set of fields across both indices that we can then extract fields from:
| select systemd(accepted ssh) syslog(accepted sshd)
| eval message=if(MESSAGE=*, MESSAGE, message)
| extract message=/^\w+\s(?<auth_method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/
An example of using nested subcommands to create a new field host
from a field fqdn
containing the value: hostname.subdomain.domain.tld
:
| eval host=mvindex(split(fqdn, "."), 0)
This command splits the fqdn
field on each period character and then extracts the first element of that array (the hostname). The result is a new field called host
with the value of hostname
.