12/23/2023 0 Comments Splunk eval divisionTakes a UNIX time and a relative time specifier and returns the UNIX time value of the specifier applied to the time. Returns the time that the search was started. If not specified, base 10 is used.Ĭonverts a value to a string using the specified format.Ĭomputes and returns the MD5 hash of a string value.Ĭomputes and returns the secure hash of a string value, based on the FIPS compliant SHA-1 hash function.Ĭomputes and returns the secure hash of a string value, based on the FIPS compliant SHA-256 hash function.Ĭomputes and returns the secure hash of a string value, based on the FIPS compliant SHA-512 hash function. Returns a JSON object representation of events or search results.Ĭonverts a string to a number. Generates a new masked IP address by applying a mask to a IPv4 address.Ĭonverts data that is in an object format into an array format.īuilds a string value, based on a string format and the values specified. This function defaults to NULL if all conditions evaluate to TRUE. Takes a list of conditions and values and returns the value that corresponds to the condition that evaluates to FALSE. Returns TRUE if the event matches the search string. Otherwise returns FALSE.Ĭompares two values and returns NULL if =. Returns TRUE if the regular expression finds a match against any substring of the string value. Returns TRUE if the string value matches the pattern. Returns TRUE if one of the values in the list matches a value that you specify. If the expression evaluates to TRUE, returns the. Takes one or more values and returns the first value that is not NULL. Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. Returns the first value for which the condition evaluates to TRUE. Use the links in the Type of function column for more details and examples.Īccepts alternating conditions and values. This table lists the syntax and provides a brief description for each of the functions. The following table is a quick reference of the supported evaluation functions. This example assumes that you are in the SPL View.There are two ways to find information about the supported evaluation functions: SPL2 Example: Change the value of source_type field These examples assume that you have added the function to your pipeline.ġ. ExamplesĮxamples of common use cases follow. expression Syntax: Description: A combination of values, variables, operators, and functions that will be executed to determine the value to place in your destination field. If the field name already exists in your events, eval overwrites the value. Required arguments field Syntax: Description: A destination field name for the resulting calculated value. Function Output collection> This function outputs the same collection of records but with a different schema S. Function Input/Output Schema Function Input collection> This function takes in collections of records with schema R. However, while the Eval function keeps existing fields and adds new fields for the aliases in the eval, The Select function only includes the fields explicitly specified in the select function.Įval =. The functions are organized into these categories:įor examples of how to use these scalar functions in your Eval function, see the Examples on this page.īoth functions are used to change the fields in the record. There are dozens of scalar functions that you can use in the eval expression. There are many types of expressions you can specify. Most of the time the Eval function is used to create a new top-level field in your data and the values in that new field are the result of an expression. The Eval function processes multiple eval expressions in-order and lets you reference previously evaluated fields in subsequent expressions. You can chain multiple eval expressions in a single Eval function using a comma to separate subsequent expressions. If the field name that you specify matches a field name that already exists in the data stream, the results of the eval expression overwrite the values in that field.If the field name that you specify does not match a field in the data stream, a new top-level field is added to your record.The Eval function calculates an expression and puts the resulting value into the record as a new field. This topic describes how to use the function in the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |