The eval command is perhaps the most advanced and powerful command in SPL. It allows you to store the resulting value of the eval operation in a field. A myriad of functions can be used with eval. Let us try some of the simpler and more common ones.
The simplest type of eval command performs a simple if/then/else condition and stores a value in the newly created field. For example, if you want to create counts of successful and unsuccessful requests, use http_status_code to determine whether the request is successful, and, if it is, count the transaction as successful:
SPL> index=main earliest=-1h latest=now | stats count(eval(if(http_status_code < "400", 1, NULL))) AS successful_requests count(eval(if(http_status_code >= "400", 1, NULL))) AS unsuccessful_requests by http_status_code
There are also countless functions that can be used effectively with eval (we'll discuss some of them later):
SPL> | eval round(X, Y)
Run the search command shown as follows, then modify it to include the eval function round(X, Y). Watch how the percent column values are transformed as they are rounded to the nearest integer with two decimal values:
SPL> index=main | top http_uri
index=main | top http_uri | eval percent=round(percent, 2)
Use this function to transform the URL strings into uppercase:
SPL> index=main | top http_uri
index=main | top http_uri | eval http_uri=upper(http_uri)
The case function is especially useful when transforming data based on a Boolean condition. If X is true, then assign to the variable the string Y. Here is an example that looks for two different values and assigns two different values:
SPL> index=main | top http_uri showperc=false
| eval Tag=case(http_uri=="/booking/payment", "Payment", http_uri="/auth", "Authorization")
The resulting table shows that a new column called Tag has been created and all instances of /home have been marked as Home and all instances of /auth have been marked as Auth:
