01.-Using eval to compare (7:22)
02.-Evaluation functions (3:28)
04.-Eval: case function (4:13)
05.-Eval: validate function (1:15)
07.-Eval: match function (4:57)
08.-Eval: replace function (5:38)
We will compare values in our data using conditional statements and commands.
The eval command calculates an expression and then puts the resulting value into a new or existing field, which can be reused in the search pipeline. When used with an existing field the eval command overwrites the values of the field with the result of the eval expression at search time not changing or overwritting any of the indexed data.. When we create a new field it will take the values of the expressions but no new data is written into the index. No alteration of the original index happens.
the + operator accepts two numbers for addition or two strings for concatenation. The .operator concatenates both strings and numbers. Numbers are concatenated in their string-representative form.
Field values created using the eval command are treated in a case-sensitive manner. Field names must be unquoted or single-quoted when they include a special character-like space.
Categorization of states in the function of sales.
Separated, nested, or linked with commas.
There are 11 categories of evaluation functions
-
Comparison & Conditional (This is not a full list, just a few of them)
-
Conversion
-
Cryptographic (md5, sha1, sha256, sha512)
-
Data & time
-
Informational
-
JSON
-
Mathematical (round(X,Y), pow). A
roundwithoutYreturnsXan integer. -
Multivalue
-
Statistical (avg, max, min, random).
randomreturns a Pseudo-random integer ranging from zero to 2³¹-1 -
Text
-
Trigonometry and hyperbolic
Generally, Evaluation functions will evaluate an expression based on the events and return a result, but some do not evaluate any expression and instead return a result based on its own functionality.
We can use these functions with other commands such as where, fieldformat
The new field created with the eval command shows in the field sidebar. We can make it a selected field to display it along the bottom row of each event.
Will evaluate multiple boolean expressions and return a value based on these multiple else/if statements.
The case function allows us to enter multiple boolean expressions separated by the argument of what to return if the previous expression evaluates to true. Only the argument of the first expression that evaluates as true will be returned. If none of the expressions return true, a null value is returned.
Case with the last condition to true() or 1=1.
The validate function works exactly as the case except instead of evaluating whether or not a statement is true, it returns an argument when an expression evaluates to false.
Allows to evaluate a value from a field against a list of possible values and returns a value of true it if finds a match. To be nested in a if or case function when used in an eval command. When used in the where command does not require to be nested inside if or case functions
Matching functions that return true or false if a supplied condition is matched by returned values.
The searchmatch function is a function of the eval command that must be embedded within the if function of the eval command. it will return true or false depending on whether an event matches the search string passed in as an argument.
The cidrmatch(x, Y) eval function will return true or false if the IP address passed in Y matches the subnet specified by X.
The match(SUBJECT, "<regex>") uses a regular expression to match on the SUBJECT argument returning true if Match happens.
match can be made to behave like the searchmatch function passing _raw subject field. searchmatch by default works off of the _raw data.
To replace characters in the field's values. replace is helpful for masking, at search time, sensitive information within the data, such as exposed account codes, DNI, and credit card numbers, which should ideally be masked prior to onboarding the data into Splunk.
X is a string of fieldname.
Y is a regular expression to be matched on the values in X.
Z is the value to replace the X values that match Y regular expression.
Masking 4 last digits of an account code.
Masking central octets of an IP address.
To format values without changing the underlying value characteristics. fieldformat command uses the same functions as the eval command.
Once these results are formatted they cannot be modified by any subsequent commands
Format a numeric result into a string with commas.
When the results of a search contain null values and the results display with empty fields, they can be substituted for a more readable output with the fillnull command. By default fillnull replaces null values inside all fields with zero. Instead of zero, a different value can be indicated with value = "N/A". Use the `field-list' to restrict the fields where null values will be replaced.
where uses the same syntax as the eval command and supports the same functions but filters the events to only keep the results that evaluate the expression as true.
Interprets unquoted or single quoted strings as fields and double-quoted strings as field values and treats field values in a case-sensitive manner.
Comparing search and where commands, where allows for field-on-field comparison, use mathematical and boolean operators (with case sensitivity) to evaluate values within the eval expression returning true or false. The search command does not support field-on-field comparison.
where command interprets *, the search command wildcard, as a literal character or a mathematical operator. Use instead % for multiple characters and _ for a single character. Use them either with the like operator or the like(string, pattern) function.
Filter usersname starting with adm.
Filtering null values.
Identify periods of time with no sales.
Visualize evolution on time of partition space usability.
Count how many events fall in each quartile according to the normalized value of data.Key_count
