eval
eval
Create or modify fields by evaluating expressions for each record.
| eval newField = expression | eval duration_sec = duration / 1000Parameters
Section titled “Parameters”newField = expression: Assigns the result of the expression to a new or existing field.
Supported Functions and Expressions
Section titled “Supported Functions and Expressions”You can use arithmetic, logical, and conditional expressions, as well as functions, in eval assignments. Common supported functions include:
- Mathematical:
+,-,*,/ - String:
lower(str),upper(str),length(str),trim(str) - Number:
abs(x),round(x),ceil(x),floor(x) - Boolean:
contains(str, substr),startsWith(str, prefix),endsWith(str, suffix),match(str, regex),isNull(x),isNotNull(x) - Conditional:
if(condition, then, else),case((cond1, val1), ..., elseVal)
Only functions supported by your Cruncher deployment are available. See the main documentation for a full list.
- Use
evalto compute new values, transform fields, or perform calculations. - You can assign multiple fields by chaining multiple
evalcommands in your pipeline. - Use conditional logic to create new fields based on complex criteria.
Examples
Section titled “Examples”| eval duration_sec = duration / 1000This creates a duration_sec field by dividing duration by 1000.
| eval is_error = (status == "error")This creates a boolean field is_error that is true when status equals "error".
| eval user_lower = lower(user)This creates a new field user_lower with the lowercase value of user.
| eval error_type = if(status == "error", "critical", "normal")This creates a new field error_type based on the value of status.
| eval match_found = match(message, `^Error:.*`)This creates a boolean field match_found that is true when message matches the regex.
| eval group = case(status == "error", "A", status == "warn", "B", "C")This creates a field group with value "A" for errors, "B" for warnings, and "C" otherwise.