eval search command
This search command evaluates an expression (a field name along with a specified function) and assigns the resulting value to a new field that you specify. When you specify a field, the product runs specified functions on the value of that field and then assigns the resulting value to a new field so that you can further analyze it.
You can perform the following functions:
- Changing the case of a field value to lowercase or uppercase
- Splitting the value of a field into multiple parts depending on the delimiters specified
- Copying portions of a field value
Delimiters can be alphanumeric characters, special characters, or Java regular expressions. When you run the split function, the resulting values are assigned to the new field. Because fields with multiple values are displayed as a comma-separated list, the resulting values from a split function are also displayed as a comma-separated list.
You can also use the split function with a copy function (mvindex
) in the command syntax, so that one of the values received by running the split function is copied to the new field.
You can copy portions (a range of values) by specifying a starting index and ending index so that a range of values is copied from the source field and assigned to the new field. The value of the index indicates the particular portion of the field value that must be copied. For example, if the source field has a list of five values and you specify the starting index as 0 and the ending index as 3, then a range of values from the first to the fourth portions is copied and assigned to the new field.
For a list of all search commands, see Search commands.
Syntax
eval <New-Field>=<Expression>
In the preceding syntax, the following definitions apply:
<New-Field>
refers to the name of the new field to which you want to assign the value that was received as a result of running the specified function.<Expression>
refers to a combination of the specified function and the name of the source field on which you want to run the function.The following table lists the functions supported:
Function Syntax Description lower
lower(<Source-Field>)
Changes the case of the source field value to lowercase upper
upper(<Source-Field>)
Changes the case of the source field value to uppercase split
split(<Source-Field>, "<Delimiter>")
Splits the source field value depending on the delimiter specified. The delimiters can be alphanumeric characters, special characters or Java regular expressions and must always be enclosed in double quotes (").
Note: If you want to use special characters such as period (.) or asterisk (*) as a normal delimiter and not as a Java regular expression, you must use an escaping backslash character (\) before the special character.
mvindex
mvindex(<Source-Field>, <Start-Index>[,<End-Index>])
where,[Expression] indicates it is optional
Copies portions of the source field value depending on the index specified. You can specify a starting index and an ending index so that a comma-separated range of values is copied from the source field and assigned to the new field. Specifying the ending index is optional.
Index is a number starting from 0 to 9 (read from left to right) and -1 to -10 (read from right to left), indicating the portion of the field that must be copied.
Zero indicates the first portion and -1 indicates the last portion.
The end index must be greater than the start index.
Short examples
Example 1: Create a new field, req_type_low with the value of the RequestType field that appears in lowercase.
... | eval req_type_low = lower(RequestType)
Example 2: Create a new field, host_name_up, with the value of the HOST field that appears in uppercase.
... | eval host_name_up = upper(HOST)
Example 3: Create a new field, broken_url, with the value of the RequestURL field such that the new field value shows as a list of values split by the delimiter "/".
... | eval broken_url=split(RequestURL, "/")
Example 4: Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/". After this, create a new field, resource_root, with the first portion (index 1) of the broken_url value.
... | eval broken_url=split(RequestURL, "/")
| eval resource_root=mvindex(broken_url, 1)
Example 5: Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/" and then create a new field, resource_param, with the second-to-last portion of the broken_url value.
... | eval broken_url=split(RequestURL, "/")
| eval resource_param=mvindex(broken_url, -2)
Example 6: Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/" and then create a new field, resource_params, with a range of values (third-to-last portion to the last portion) of the broken_url value.
... | eval broken_url=split(RequestURL, "/")
| eval resource_params=mvindex(broken_url, -3,-1)
Long examples
The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the eval
command.
Sample data
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png |
Sample indexed data
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
lower
In this example, you use the command to create a new field, req_type_low, with the value of the RequestType field that appears in lower case.
Command
... | eval req_type_low = lower(RequestType)
Output
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |req_type_low=post|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |req_type_low=put|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |req_type_low=get|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |req_type_low=get|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png |
upper
In this example, you use the command to create a new field, "host_name_up, with the value of the HOST field that appears in uppercase.
Command
... | eval host_name_up = upper(HOST)
Output
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png |
split
In this example, you use the command to create a new field, broken_url, with the value of the RequestURL field such that the new field value shows as a list of values split by the delimiter "/".
Command
... | eval broken_url=split(RequestURL, "/")
Output
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |
split and mvindex
In this example, you use the command to perform the following actions:
- Create a new field, broken_url with the value of the RequestURL field split by the delimiter "/".
- Create two new fields:
- resource_root field with the first portion (index 1) of the broken_url value
- resource_other field with the second portion (index 2) of the broken_url value
Command
... | eval broken_url=split(RequestURL, "/") |
eval resource_root=mvindex(broken_url, 1) |
eval resource_other=mvindex(broken_url, 2)
Output
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=200 |HOST=local.bmc.com |resource_root=themes |resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_root=themes|resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_root=themes |resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=404 |HOST=local.bmc.com |resource_root=themes|resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png |
split and mvindex (with negative index)
In this example, you use the command to perform the following actions:
- Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/".
- Create a new field, resource_param, with the second-to-last portion of the broken_url value.
Command
... | eval broken_url=split(RequestURL, "/") |
eval resource_param=mvindex(broken_url, -2)
Output
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=200 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=404 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png |
split and mvindex (with list of negative indexes)
In this example, you use the command to perform the following actions:
- Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/".
- Create a new field, resource_params, with a range of values (third-to-last portion to the last portion) of the broken_url value.
Command
... | eval broken_url=split(RequestURL, "/") |
eval resource_params=mvindex(broken_url, -3,-1)
Output
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=200 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png COLLECTOR_NAME=u4 |ResponseCode=404 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png |
Notes
- If the new field name (the target field) is the same as an existing field, the existing field values are replaced by the new values.
- You cannot use the default field names HOST, COLLECTOR_NAME, or DATA_PATTERN as the value of the target field.
Comments
Log in or register to comment.