Splunk is a software that enables one to monitor, search, visualize and also to analyze machine generated data (best example are application logs, data from websites, database logs for a start) to big-data using a web styled interface. It is an advanced software that indexes and searches log files stored on a system or the like, alongside to that, it is a scalable and potent software. Splunk bridges the gaps which a single simple log management software or a security information product or a single event management product can manage all by themselves.
In the simplest words, the eval command can be used to calculate an expression and puts the value into a destination field. If the destination field matches to an already existing field name, then it overwrites the value of the matched field with the eval expression’s result. The eval command has the capability to evaluated mathematical expressions, string expressions and Boolean expressions. We can chain more than eval expressions into a single search expression separated by commas with the subsequent expressions. As the search processes eval expressions from left to right, this enables you to reference the previously evaluated fields into the subsequent expressions for further evaluation.
Related Page: Splunk Software
eval =["," =]...
Now based on the syntax that is shown earlier, let us take a deeper look into the fields that are passed on to this command:
1. The is a destination field name for the resulting calculated value from the eval command to be replaced with. If the field name already exists in any of your events, then the eval command overwrites the value with the value calculated.
2. The is a combination of values, variables, operators and functions that can be executed to determine the value of field and also to place the value into your destination field.
1. The syntax of the eval expression is evaluated even before running the actual search and if in case the expression provided is invalid in any scenario, an exception is thrown.
2. The result of an eval expression can never be a Boolean, if at search time, the search expression cannot be evaluated successfully then eval takes the responsibility of clearing the resulting field by itself.
As per the command and its usage, you would have understood by now that all the possible operators available can be put to use in your expressions. But for a quicker reference, we are providing the list of operators with which you can perform the basic operations in any of your expressions.
+ - * / %
AND OR NOT XOR < > <= >= != = == LIKE
Related Page: Splunk Streamstats Command
With the necessary theory discussed about the command and its syntax, usage – let us now concentrate on how to use it in the real time world. This forms most of your work, if Splunk’s eval command is put to use.
1. The first example looks at a new field that is created and assigned a value on the fly, after the eval command does its magic of calculating value of an expression. Let us create a new field called runRate in each event, then calculating runRate would be limited down to dividing the values of fields acquired from fields ‘number of runs’ scored by the ‘number of overs’ bowled.
… | eval runRate = numberOfRuns / numberOfOvers
2. Now look at the second example with the usage of an ‘if’ function to determine the values that can be placed in the isACentury field. Let us create a field by name isACentury in each event again. Now with the condition check, we will be setting a value of TRUE if the numberOfRuns is 100, otherwise it can be set a value of FALSE.
… | eval isACentury = if(numberOfRuns == 100, “TRUE”, “FALSE”)
3. In this example, let us take the case of displaying the name of a player in lower case completely. In this case, even if the player’s name is in camel case or upper case – the value of the player’s name will be converted to a lower case.
… | eval lowercaseName = lower(nameOfPlayer)
4. In this example, let us take a simple string concatenation as a scenario and let us see how Splunk’s eval command comes in play.
…|eval playerFullName = firstName.” ”.lastName
5. What if, if you wanted to evaluate two separate eval commands at the same time to get a final output. You can simply lineup your scenarios into one single command by just separating these commands by a comma. Now let us combine the above two examples and make it into one single example – shall we?
…|eval playerFullName = firstName.” ”.lastName, lowerPlayerFullName = lower(playerFullName)
6. In this example, let us take a step further to perform some calculations apart from just the simple mathematics. Let us consider the sum of areas of two circles with different radii as the input to our destination field. So, let us have a field named areaSum which will be assigned the value of the expression once evaluated using the eval command.
…| eval areaSum = pi() * pow(radiusOfCircle1,2) + pi() * pow(radiusOfCircle2,2)
7. Let us now look at a case where the playerType can evaluated as a case from the available options of ‘Batsman’, ‘Bowler’ or ‘All-Rounder’. For that to be evaluated, let us now take a closer look at the example:
…|eval isPlayerBatsman = case(playerType==1, “Batsman”, playerType==2, “Bowler”, playerType==3, “All-Rounder”)
In this article, we have tried to demystify what Splunk can do as a standalone software and where its usages can be. We have also tried to understand how to use Splunk’s eval command to extract data or substitute data using regular expressions.
Hope this article has provided all the necessary details for you to understand the concept altogether. If you are willing to look for more details on this topic, we suggest you to go through the Splunk documentation.
Related Page: Splunk Alert And Report
Free Demo for Corporate & Online Trainings.