Eval Functions

The eval command calculates an expression and puts the resulting value into a field (e.g. "...| eval force = mass * acceleration"). The following
table lists the functions eval understands, in addition to basic arithmetic operators (+ - * / %), string concatenation (e.g., '...| eval name = last . ",
" . last'), boolean operations (AND OR NOT XOR < > <= >= != = == LIKE)
abs(X)Returns the absolute value of X.abs(number)
case(X,"Y",…)Takes pairs of arguments X and Y, where X arguments are Boolean
expressions that, when evaluated to TRUE, return the corresponding
Y argument.
case(error == 404, "Not found", error
== 500,"Internal Server Error", error
== 200, "OK")
ceil(X)Ceiling of a number X.ceil(1.9)
cidrmatch("X",Y)Identifies IP addresses that belong to a particular subnet. cidrmatch("",ip)
coalesce(X,…)Returns the first value that is not null.coalesce(null(), "Returned val",
exact(X)Evaluates an expression X using double precision floating point
exp(X)Returns eXexp(3)
floor(X)Returns the floor of a number Xfloor(1.9)
if(X,Y,Z)If X evaluates to TRUE, the result is the second argument Y. If X
evaluates to FALSE, the result evaluates to the third argument Z.
if(error==200, "OK", "Error")
isbool(X)Returns TRUE if X is Boolean.isbool(field)
isint(X)Returns TRUE if X is an integerisint(field)
isnotnull(X)Returns TRUE if X is not NULL. isnotnull(field)
isnull(X)Returns TRUE if X is NULLisnull(field)
isnum(X)Returns TRUE if X is a numberisnum(field)
isstr()Returns TRUE if X is a string.isstr(field)
len(X)This function returns the character length of a string Xlen(field)
like(X,"Y")) Returns TRUE if and only if X is like the SQLite pattern in Y.like(field, "foo%")
ln(X)Returns its natural logln(bytes)
log(X,Y)Returns the log of the first argument X using the second argument Y
as the base. Y defaults to 10.
lower(X)Returns the lowercase of X.lower(username)
ltrim(X,Y)Returns X with the characters in Y trimmed from the left side. Y
defaults to spaces and tabs.
ltrim(" ZZZabcZZ ", " Z")
match(X,Y)Returns if X matches the regex pattern Ymatch(field, "^\d{1,3}\.\d$")
max(X,…)Returns the max.max(delay, mydelay)
md5(X)Returns the MD5 hash of a string value X.md5(field)
min(X,…)Returns the minmin(delay, mydelay)
mvcount(X)Returns the number of values of Xmvcount(multifield)
mvfilter(X)Filters a multi-valued field based on the Boolean expression X. mvfilter(match(email, "net$"))
mvindex(X,Y,Z)) Returns a subset of the multivalued field X from start position (zerobased)
Y to Z (optional).
mvindex( multifield, 2)
mvjoin(X,Y)Given a multi-valued field X and string delimiter Y, and joins the
individual values of X using Y.
mvjoin(foo, ";")
now()Returns the current time, represented in Unix time.now()
null()This function takes no arguments and returns NULL.null()
nullif(X,Y)) Given two arguments, fields X and Y, and returns the X if the
arguments are different; returns NULL, otherwise
nullif(fieldA, fieldB)
pi()Returns the constant pi.pi()
pow(X,Y)Returns XY.pow(2,10)
random()Returns a pseudo-random number ranging from 0 to 2147483647random()
Given epochtime time X and relative time specifier Y, returns the
epochtime value of Y applied to X.
replace(X,Y,Z)Returns a string formed by substituting string Z for every occurrence
of regex string Y in string X.
Returns date with the month and day
numbers switched, so if the input was
1/12/2009 the return value would be
12/1/2009: replace(date, "^(\d{1,2})/
(\d{1,2})/", "\2/\1/")
round(X,Y)) Returns X rounded to the amount of decimal places specified by Y.
The default is to round to an integer.
rtrim(X,Y)Returns X with the characters in Y trimmed from the right side.
If Y is not specified, spaces and tabs are trimmed.
rtrim(" ZZZZabcZZ ", " Z")
earchmatch(X)) Returns true if the event matches the search string Xsearchmatch("foo AND bar")
split(X,"Y")Returns X as a multi-valued field, split be delimiter Y.split(foo, ";")
sqrt(X)Returns the square root of X.sqrt(9)
strftime(X,Y)Returns epochtime value X rendered using the format specified by Y.strftime(_time, "%H:%M")
strptime(X,Y)Given a time represented by a string X, returns value parsed from
format Y.
strptime(timeStr, "%H:%M")
substr(X,Y,Z)Returns a substring field X from start position (1-based) Y for Z
(optional) characters
substr("string", 1, 3)
+substr("string", -3)
time()Returns the wall-clock time with microsecond resolution. time()
tonumber(X,Y)Converts input string X to a number, where Y (optional, defaults to
10) defines the base of the number to convert to.
tostring(X,Y)Returns a field value of X as a string. If the value of X is a number,
it reformats it as a string; if a Boolean value, either "True" or
"False". If X is a number, the second argument Y is optional
and can either be "hex" (convert X to hexadecimal), "commas"
(formats X with commas and 2 decimal places), or "duration"
(converts seconds X to readable time format HH:MM:SS).
This example returns:
foo=615 and foo2=00:10:15:
… | eval foo=615 | eval foo2 =
tostring(foo, "duration")
trim(X,Y)Returns X with the characters in Y trimmed from both sides.
If Y is not specified, spaces and tabs are trimmed.
trim(" ZZZZabcZZ ", " Z")
typeof(X)Returns a string representation of its type.This example returns:
typeof(12)+ typeof("string")+
typeof(1==2)+ typeof(badfield)
upper(X)Returns the uppercase of Xupper(username)
urldecode(X)Returns the URL X decoded.urldecode("http%3A%2F%2Fwww.splunk.
validate(X,Y,…)Given pairs of arguments, Boolean expressions X and strings Y,
returns the string Y corresponding to the first expression X that
evaluates to False and defaults to NULL if all are True.
validate(isint(port), "ERROR: Port is not
an integer", port >= 1 AND port <= 65535,
"ERROR: Port is out of range")