SPLK-1004 Exploring eval Command Functions

Exploring eval Command Functions Detailed Explanation

This section will teach you how to use Splunk’s eval command to create, transform, and analyze data fields, which is one of the most powerful capabilities in Splunk.

1. Overview – What is eval?

The eval command is used to create new fields or modify existing ones by applying expressions and functions. It is similar to Excel formulas or programming logic: you calculate, format, or assign values based on other data.

You can use it for:

• Math calculations

• Text manipulation

• Conditional logic (like if statements)

• Date/time formatting

• Multi-value operations

• Hashing/encryption functions

It’s a key building block for dashboards, alerts, data analysis, and more.

2. Syntax of eval

... | eval new_field = function(arguments)

You are saying:

"Create a new field called new_field, and assign it the result of this calculation."

Multiple eval expressions can be used together, like this:

... | eval revenue = price * quantity, discount_price = price * 0.9

3. Common Eval Function Categories

Arithmetic & Logic Functions

You can perform basic math and logic like:

• +, -, *, /

• Comparison: >, <, ==, !=

• Logical: AND, OR, NOT

Example:

| eval total = price * quantity
| eval is_high = total > 1000

• total becomes a new field with the multiplication result.

• is_high becomes a boolean: true if total > 1000, otherwise false.

Conditional Logic

Use if() or case() to create logic-based outputs.

if(condition, true_value, false_value)

| eval response_type = if(response_time > 1000, "slow", "fast")

case(condition1, result1, condition2, result2, ..., default)

| eval status = case(
    response_time > 3000, "critical",
    response_time > 1000, "warning",
    true(), "normal"
)

• case() is more readable and supports multiple conditions, similar to if-else-if.

String Functions

Functions that manipulate text fields.

Function	What it does	Example
lower()	Converts to lowercase	lower(user) → alice
upper()	Converts to uppercase	upper(user) → ALICE
substr()	Extracts part of a string	substr(name, 1, 3) → Ali
replace()	Replaces part of a string	replace(url, "http", "https")
match()	Returns true/false based on regex	match(email, ".*@gmail.com")
len()	Length of the string	len(user) → 5
trim()	Removes spaces from beginning/end	trim(name)
split()	Splits string into multi-value field	split(email, "@") → ["alice", "gmail.com"]

Example:

| eval domain = split(email, "@")[1]

Extracts the domain from the email address (gmail.com).

Date & Time Functions

Work with timestamps and dates, especially useful for formatting and time comparisons.

Function	Purpose	Example
strftime()	Converts epoch to string	strftime(_time, "%Y-%m-%d") → 2025-04-18
strptime()	Converts string to epoch	strptime("2024-01-01", "%Y-%m-%d") → 1704067200
relative_time()	Returns relative time from base time	relative_time(now(), "-1d@d") → yesterday at midnight
now()	Returns current epoch timestamp	eval current_time = now()

Example:

| eval log_day = strftime(_time, "%A")

Returns the day of the week for each event.

Multi-value Functions

Useful when a field contains multiple values (arrays).

Function	Description	Example
mvcount()	Counts the number of values	mvcount(user_roles)
mvindex()	Gets value at a specific position	mvindex(user_roles, 1)
mvjoin()	Converts multivalue field to string	mvjoin(user_roles, ",")
split()	Splits a string into multivalue field	split("admin,user,guest", ",")

Example:

| eval third_value = mvindex(values_field, 2)

Returns the 3rd item in the multi-value list (indexing starts at 0).

Cryptographic Functions

You can hash or encode field values, useful for anonymizing data or security tracking.

Function	Description	Example
md5()	128-bit hash (string)	eval hash = md5(user_id)
sha256()	256-bit secure hash	eval hash = sha256(email)

These are useful in environments where user data must be kept private but still tracked.

4. Field Creation and Manipulation

What does this mean?

In Splunk, fields are like data columns. You often receive them automatically (e.g., host, status, bytes) from log data. But sometimes you need to create your own custom fields during a search.

This is where eval shines.

Why create new fields?

• To transform data into a more useful format

• To prepare custom values for dashboards or alerts

• To categorize data for filtering and analysis

Example 1: Creating a revenue field

| eval revenue = price * quantity

Now, every event has a new revenue field calculated from two others.

Example 2: Flag events as high priority

| eval priority = if(error_code > 500, "High", "Normal")

Creates a new field priority, which can be used for filtering, coloring dashboards, or triggering alerts.

Example 3: Format a timestamp

| eval readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S")

Useful when you want a formatted date/time string for display in dashboards.

Example 4: Combine multiple fields

| eval full_name = first_name . " " . last_name

Here, the dot . operator concatenates strings.

Example 5: Categorize values using case()

| eval cpu_status = case(
    cpu > 90, "Critical",
    cpu > 70, "Warning",
    true(), "Normal"
)

This creates a cpu_status field with readable labels instead of raw numbers.

Where can these new fields be used?

• In tables:

  | table host, cpu, cpu_status
  

• In dashboards: Display status, priority, or other eval results in a chart.

• In alerts: Trigger alert when priority="High"

• In groupings: Use new fields in stats or timechart, like:

  | stats count by cpu_status
  

5. Best Practices for Using eval

Using eval correctly can make your searches faster, more readable, and more powerful. Here are essential tips:

Use case() instead of nested if()

If you have multiple conditions, don’t do this:

| eval status = if(cpu > 90, "Critical", if(cpu > 70, "Warning", "Normal"))

Do this instead:

| eval status = case(
    cpu > 90, "Critical",
    cpu > 70, "Warning",
    true(), "Normal"
)

Why? It’s easier to read and less error-prone.

Check your data types

Some functions require:

• Numbers only: sum(), avg(), stdev(), etc.

• Strings only: split(), lower(), replace()

If you’re not sure what type a field is:

| eval type_check = typeof(field_name)

Chain multiple eval statements

You can create several new fields in one eval, separated by commas:

| eval total=price*quantity, discount=total*0.1, final_price=total-discount

But if it gets too long, use multiple lines for clarity.

Name your fields clearly

Avoid vague names like x, temp, or thing. Use names like discount_amount, status_code, response_label for clarity.

Don’t overuse eval unnecessarily

Only create new fields if you plan to use them later in:

• Filtering (where)

• Visualization (table, stats, timechart)

• Alerts or tokens

Too many unused evals make searches messy and slow.

Final Thoughts on eval

• eval is your Swiss Army knife for data transformation in Splunk.

• It allows you to turn raw logs into meaningful, actionable insights.

• Whether you need math, string processing, conditional logic, or timestamps, eval can do it.

Exploring eval Command Functions (Additional Content)

1. coalesce() Function – Handling Missing Fields

The coalesce() function is commonly tested as a trap answer or a correct method for handling missing or null values in Splunk.

Functionality:

• Returns the first non-null, non-empty value from a list of fields or literals.

• Useful when a field might exist under different names across sourcetypes or logs.

• Prevents null values from breaking evaluations or visualizations.

Syntax:

eval user = coalesce(user_id, user_name, "unknown")

Explanation:

• If user_id exists, it is used.

• If user_id is null but user_name exists, user_name is used.

• If both are null, the string "unknown" is used.

Why it matters:

In exams, coalesce() is often compared or confused with conditional logic like if(isnull(...)). Understanding that coalesce() is simpler and more elegant is important.

2. typeof() Function – Useful for Debugging

The typeof() function helps identify the data type of a field or expression — especially useful when debugging eval expressions that aren’t behaving as expected.

Functionality:

• Returns a string that describes the type of the value passed.

• Helps developers ensure they are using correct functions for the data type.

Common Return Values:

Usage	Example Output
typeof(price)	"number"
typeof(name)	"string"
typeof(user_roles)	"multivalue"

Use Case Example:

... | eval field_type = typeof(response_time)

• Useful when you expect a number but get a string (e.g., due to data import issues).

• Can help differentiate between multivalue fields and strings that merely look like lists.

Exam Tip:

typeof() is often not required in standard searches, but in the exam it may appear in debugging or troubleshooting questions, especially involving unexpected results in eval.

3. in() Function – Logical Membership Testing

The in() function is a logical operator used to check whether a field’s value matches one of several possibilities.

Functionality:

• Returns true if the value is found in the provided list.

• Can be used inside eval, if, case, where, and other SPL logic blocks.

Syntax:

eval is_vip = if(user in ("alice", "bob", "carol"), 1, 0)

Explanation:

• The user field is compared against a list.

• If it matches any of the values, is_vip is set to 1.

Alternative Contexts:

Also useful in filtering:

... | where status in (404, 500, 503)

Compare with:

• like() → pattern-based, often with wildcards.

• match() → regex-based.

• in() → exact match, list-based.

Why it matters:

In the exam, in() is often confused with match() or like(), but it is the correct choice when working with literal lists of values.

Summary of Advanced eval Tools:

Function	Purpose
coalesce()	Use first non-null field value
typeof()	Identify data type of a field
in()	Test if a value exists in a specified list