Usage of EVAL{} in Splunk

Usage Of EVAL{} In Splunk

Hi Guys!!!
Everyone knows about eval command and how much useful it is.
But, we can do more with this command just by using curly braces. Using curly braces with eval command we can create new fields with the values of provided fields. Also, we can add some word or string to the field, such as [{field}_value]

Sounds interesting!!! So, let’s see, how we can achieve this.

Example: 1

index=_internal sourcetype=splunkd_ui_access
| table method,status
| dedup method,status

1

Explanation:
Here, we have taken “_internal” index and “splunkd_ui_access” sourcetype.
Now, with “table” command we have taken all the combination of field values from method and status field in tabular form.
Then, with “dedup” command we have discarded the duplicate combination and taken only unique combination of field values from method and status field
Now, on this above example we will show, how by using of eval{}, we will represent field values as new field.Please see the below query,

index=_internal sourcetype=splunkd_ui_access
| table method,status
| dedup method,status
| eval {method}_value=status

2
Explanation:
We, have used “eval{method}_value=status”,
The field you are going to use inside the curly braces, the values of that field will appear as new field names. Also, after the curly braces you can attach some string. The field you are going to use after “=” sign, the values of that field will appear as the values of newly created fields (the field you are writing in curly braces).
As, we have used “method” field inside curly braces, the values of method field have become new columns or new fields. Also we have used an extra string “_value”, that is why with all values of method field “_value” is attached (eg: DELETE_value, GET_value, POST_value) [As, you can see in the above image].
The status field we have mentioned after “=” sign, so that we will get the “status” field values (200,304,404 etc.) for each “method” field values. [As, you can see in the above image].
The method field values as the column (eg:DELETE_value, GET_value, POST_value) will change dynamically according to any changes of the method field values.

If you want to know more usages of eval{} please visit our below mentioned blogs.

You can also know about :  Counting of a Particular Character in a Field

DONUT – CUSTOM VISUALIZATION

SORTING TRICKS WITH SPLUNK SINGLE VALUE VISUALIZATION IN TRELLIS VIEW ON THE BASIS OF COUNT

HOW TO RENAME FIELD(COLUMN) NAMES DYNAMICALLY IN SPLUNK

Hope you have understood the below topic without fail.
Usage Of EVAL{} In Splunk

Happy Splunking !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.