Splunk Series II: Filtering/Formatting Data

Introduction to Eval Commands

The eval commands are great to perform calculations, convert values, road values, format values and even use conditional statements. It is recommended to use search and were commands to filter calculated results.

Eval commands allow you to calculate and manipulate field values in your report
Supports a variety of functions
Results of Eval written to either new or existing fields you specify
* If the destination field exists, the values of the field are replaced by the results of eval
* Index data is not modified, and no new data is written to the index
* Field values are treated in a case-sensitive manner

* Multiple expressions can be combined into one eval command
* Each subsequent expression references the result of the previous expression
* Expressions must be separated by commas

UntitledImage

UntitledImage

Filtering Results – Search and Where

The search and where commands each filter results

Search

* Maybe easier if you are familiar with the basic search syntax
* Treats field values in a case-insensitive manner
* Allows Searching on keywords
* Can be used at any point in the search pipeline

UntitledImage

UntitledImage

Where

* Can compare values from two different fields
* Functions are available, such as

isnotnull()

* Treats fields in a case-sensitive manner


where eval expression

 

Uses the same expression as the eval command
Uses boolean expressions to filter search results and only keep results that are true
Double quoted strings are interpreted as field values
Unquoted or single-quoted values are treated as fields
UntitledImage

UntitledImage

What is next?

Correlating Events

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.