General Syntax for Eval

The eval operator displays events after evaluating the result of the specified function. Eval operators use the following syntax formats:

| eval newField = expression

EXPRESSION Evaluation of values(fields) or constants with operators

where

expression represents a valid field-based query expression.
Arithmetic expressions or functions are not supported.

Functions that can be used with the eval operator include:

concat, tonumber, tostring, replace(X,Y,Z), abs(X), case(X,"Y",...), ceil(X), ceiling(X), exp(X), floor(X), if(X,Y,Z), isfalse(X), istrue(X), len(X), ln(X), log(X), lower(X), tolower(X), mod(x,y), rand(), round(X), sqrt(X), substr(X,Y,Z), sum(x,y,z,…), trim(X), ltrim(X), rtrim(X), upper(X)toupper(X), urldecode(X).

Aliases that contain special characters have the following syntax restrictions:

Special Characters	Restrictions	Examples
&, !, - , = , % , <, >, \|	Need to be enclosed in single/double quotes when they are reused and the search works as expected.	\| rename Name as 'DP-V' \| eval test = tostring ( "DP-V" )
@, #, +, ?, /, ^, [], {}, _ , *, ~, . $, %	Do not need to be enclosed in single/double quotes when they are reused and the search runs as expected.	\| rename Name as 'DP@V' \| eval test = tostring ( DP@V )
\	When a backslash is used in an alias name, add an additional backslash \ to escape the character. It does not need to be enclosed in single/double quotes when it is reused and the search runs as expected. The outcome field name should show only one backslash.	... \| rename Name as 'DP\\V' \| eval test = tostring ( DP\\V )

Special Characters

Restrictions

Examples

&, !, - , = , % , <, >, |

Need to be enclosed in single/double quotes when they are reused and the search works as expected.

| rename Name as 'DP-V' | eval test = tostring ( "DP-V" )

@, #, +, ?, /, ^, [], {}, _ , *, ~, . $, %

Do not need to be enclosed in single/double quotes when they are reused and the search runs as expected.

| rename Name as 'DP@V' | eval test = tostring ( DP@V )

When a backslash is used in an alias name, add an additional backslash \ to escape the character. It does not need to be enclosed in single/double quotes when it is reused and the search runs as expected.

The outcome field name should show only one backslash.

... | rename Name as 'DP\\V' | eval test = tostring ( DP\\V )

For more information about eval functions, see Understand Eval Functions.

Considerations for Using Eval Functions

Please be aware of the following considerations when using the eval functions:

You might encounter a search error if you run a query that uses both an "All Fields" fieldset and more than five pipeline operations. To avoid this, either reduce the number of fields in the fieldset or reduce the number of pipeline operators in your query.
The md5(X) function is not supported in a FIPS environment.

Examples

Could be a simple constant value: "Hello world", 5.
```
... | eval test0 = 5
```
Could be a simple field: Name, Destination Hostname from the current selected fieldset.
```
... | eval test1 = Name
```

Pipeline operators, such as eval, can use operator chaining to allow output from one pipe operator to be used as input to a subsequent one.

Find the longest URLs from the vendor ArcSight.

deviceVendor = ArcSight |eval urllength=length(requestUrl) |sort urllength

There is no limit to using arithmetic and boolean operators along with data (in fields or as constants).
```
... | eval test3 = Agent Severity + 1
```
```
... | eval test4 = Name and Device Vendor
```
```
... | eval test5 = (Name and Device Vendor) / 2
```
If the boolean operator is the last operation applied, the overall result will be {0,1}.

Examples of expressions that use arithmetic and boolean operators:
```
... | eval test6 = upper(Agent Severity ) + 1
```
```
... | eval test6 = upper(Agent Severity ) and Name
```
If the boolean operator is the last operation applied the overall result will be {0,1}.

Example using "if" and "case" statements:

... | eval test = if ( deviceCustomNumber1 = 200, Success, Failure)
… | eval test = case ( deviceCustomNumber1 = 200, Success, deviceCustomNumber1 = 400, Failure, Unknown)

"Case" requires a final parameter that serves as the else condition. For example:

case(name = 'Mandy', 'analyst', name = 'Oskar', 'operator', unknown') where 'unknown' is the else condition.

Functions can receive other expressions as input:

...  | eval test6 = upper(Agent Severity and 1 ) and Name

Restrictions

Some functions have restrictions based on the data type:

The following expression is not allowed because two different data types (Name and 1) are not allowed in an arithmetic operation.

... | eval test1 = Name + 1

The expression below is not allowed because replace expects string data types for parameters.

... | eval test1 = Name and replace ( 1 , Name , Name )

For more information about syntax requirements that the query must meet, see Understand the Query Syntax.