![]() org, the location field is assigned the value local. Then, the if() and match() functions are used. The mvindex function defines the from_domain as the portion of the mailfrom field after the symbol. The split() function is used to break up the email address in the mailfrom field. The first half of this search is similar to previous example. Sourcetype="cisco:esa" mailfrom=*| eval from_domain=mvindex(accountname,-1), location=if(match(from_domain, " \.(com|net|org)"), "local", "abroad") | stats count BY location The eval command in this search contains multiple expressions, separated by commas. org addresses are considered local, while anything else is considered abroad. This example classifies where an email came from based on the email address domain. For example, the email might be To, From, or Cc). You should be able to run this search on any email data by replacing the sourcetype=cisco:esa with the sourcetype value and the mailfrom field with email address field name in your data. This eval expression is a simple string concatenation.Įxample 4: Use eval functions to classify where an email came from This example uses sample email data. For example, if the city=Philadelphia and state=PA, location="Philadelphia, PA". Use the eval command to define a location field using the city and state fields. This eval expression uses the pi and pow functions to calculate the area of each circle and then adds them together, and saves the result in a field named, sum_of_areas.Įxample 3: Define a location field using the city and state fields For circles A and B, the radii are radius_a and radius_b, respectively. The area of circle is πr^2, where r is the radius. | eval sum_of_areas = pi() * pow(radius_a, 2) pi() * pow(radius_b, 2) Use the eval command to define a field that is the sum of the areas of two circles, A and B. Sourcetype=access_* | stats count(eval(status="404")) AS status_count BY sourceĮxample 2: Define a field that is the sum of the areas of two circles You can organize the results using a BY clause. Sourcetype=access_* | stats count(eval(status=404)) AS status_count The results are placed into a field called status_count. This search retrieves all of the events where the sourcetype is any Apache web access log and counts the number of events where the status field value is 404. Because the returns an evaluated field, you must use the AS keyword to specify a name for the evaluated field. However if you want the results for only one specific status, you can use an. Sourcetype=access_* | stats count(status) by status You can add a BY clause to organize the count by HTTP code. Sourcetype=access_* | stats count(status) If you run this search, it returns a total count of all events with a value in the status field. This example searches the status field which contains HTTP status codes like 200 an 404. ![]() Sourcetype=access_* | stats count(eval(status=404)) AS status_count Example 1: Use an eval expression with a stats function However, the eval expression in this search is (eval(status=404)), which is followed by an AS clause: ![]() You can think of an eval expression as everything that follows the eval command, typically to the next pipe. ), the eval command treats both values as strings, regardless of their actual type. When concatenating values with a period (. For addition, eval can concatenate the two operands if they are both strings. eval expressions require that the field's values are valid for the type of operation.įor example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. The expression can involve a mathematical operation, a string concatenation, a comparison expression, a boolean expression, or a call to one of the eval functions. This topic discusses how to use the eval command and the evaluation functions.Īn eval expression is a combination of literals, fields, operators, and functions that represent the value of your destination field. Although some eval expressions seem relatively simple, they often can be quite complex. ![]() The eval command is versatile and useful. The eval command enables you to devise arbitrary expressions that use automatically extracted fields to create a new field that takes the value that is the result of the expression's evaluation. ![]()
0 Comments
Leave a Reply. |