### Usage of Splunk EVAL Function :TOSTRING

Usage of Splunk EVAL Function : TOSTRING

• This function takes two arguments ( X and Y )
• This functions converts inputs value to a string value .
• If you give number as an input it formats the number as a string.
• If you give Boolean value as an input it returns “True” or “False” corresponding to the Boolean value.
• If the first argument ( X ) is a number then second argument(Y) can be “hex” , “commas” or “duration”.

Find below the skeleton of the usage of the function “tostring” with EVAL :

….. | eval NEW_FIELD=tostring(X,Y )

Example 1:

```index=_internal sourcetype=splunkd_ui_access
| eval New_Field=tostring(1==1)
| table New_Field
| dedup New_Field```

Result:

Explanation:

In the above query _internal is the index name and sourcetype name is splunkd_ui_access . We have given a Boolean value as a input of tostring function so it returns “True” corresponding to the Boolean value  and store the value in a new field called New_Field. Because 1==1 is an universal truth. At last by table function we have taken New_Field in tabular format and by dedup command we have removed the duplicate values from the result set.

*******************************************************************************

Example 2:

```index=_internal sourcetype=splunkd_ui_access
| stats count as decimal by method
| eval Hex_Field=tostring(decimal,"hex")```

Result:

Explanation:

In the above query _internal is the index name and sourcetype name is splunkd_ui_access. By the stats command we have taken the count of method field values and rename the count field as decimal. Here method is an existing field name in _internal index.We have used “hex” as an argument with tostring function for eval command . This argument converts the decimal value into a hexa-decimal value . We have stored the hexa-decimal values in a new field called Hex_Field.

*********************************************************************************

You can also know about :  Usage of Splunk EVAL Function : MVFILTER

Example 3:

```index=_internal sourcetype=splunkd_ui_access
| stats sum(bytes) as Summation by method
| eval Comma_Field=tostring(Summation,"commas")```

Result:

Explanation:

In the above query _internal is the index name and sourcetype name is splunkd_ui_access. By stats command we have taken the summation of bytes for every method field values and rename the field as Summation. Here method and bytes are existing field names in _internal index. We have used “commas” as an argument with tostring function for eval command  . This argument formats the Summation field with commas. If a field includes decimal values then it round offs to nearest two decimal point. We have store the values in a new field called Comma_Field.

*******************************************************************************

Example 4:

```index=_internal sourcetype=splunkd_ui_access
| eval Second="33403"
| eval Duration=tostring(Second,"duration")
| table Second,Duration
| dedup Second,Duration```

Result:

Explanation:

In the above query _internal is the index name and sourcetype name is splunkd_ui_access. By the eval command we have created a field called Second. In the Second field we have stored “33403” as second value . We have used “duration” as an argument with tostring function for eval command. This argument converts seconds to readable time format ( HH:MM:SS ). We have store the time formatted  value in a new field called Duration. By table command we have taken Second and Duration fields in a tabular format and by dedup command we have removed the duplicate values from the result set.

Now you can effectively utilize “tostring” function with “eval” command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function : TOSTRING

HAPPY SPLUNKING !!

+1
1
+1
+1
3
+1
+1
+1
+1