You can embed eval expressions and functions within any of the stats functions. This is a shorthand method for creating a search without using the eval command separately from the stats command.
For example, the following search uses the eval command to filter for a specific error code. Then the stats function is used to count the distinct IP addresses.
status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)
As an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. For example:
status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errors
Use eval expressions to count the different types of requests against each Web server
This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search.
Run the following search to use the stats command to determine the number of different page requests, GET and POST, that occurred for each Web server.
sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host
This example uses eval expressions to specify the different field values for the stats command to count.
- The first clause uses the
count()function to count the Web access events that contain themethodfield valueGET. Then, using the AS keyword, the field that represents these results is renamed GET. - The second clause does the same for POST events.
- The counts of both types of events are then separated by the web server, using the BY clause with the
hostfield.
The results appear on the Statistics tab and look something like this:
| host | GET | POST |
|---|---|---|
| www1 | 8431 | 5197 |
| www2 | 8097 | 4815 |
| www3 | 8338 | 4654 |
Use eval expressions to categorize and count fields
This example uses sample email data. You should be able to run this search on any email data by replacing the sourcetype=cisco:esa with the sourcetype value and the mailfrom field with email address field name in your data. For example, the email might be To, From, or Cc).
Find out how much of the email in your organization comes from .com, .net, .org or other top level domains.
The eval command in this search contains two expressions, separated by a comma.
sourcetype="cisco:esa" mailfrom=* | eval accountname=split(mailfrom,"@"), from_domain=mvindex(accountname,-1) | stats count(eval(match(from_domain, "[^\n\r\s]+\.com"))) AS ".com", count(eval(match(from_domain, "[^\n\r\s]+\.net"))) AS ".net", count(eval(match(from_domain, "[^\n\r\s]+\.org"))) AS ".org", count(eval(NOT match(from_domain, "[^\n\r\s]+\.(com|net|org)"))) AS "other"
- The first part of this search uses the
evalcommand to break up the email address in themailfromfield. Thefrom_domainis defined as the portion of themailfromfield after the@symbol.- The
split()function is used to break themailfromfield into a multivalue field calledaccountname. The first value ofaccountnameis everything before the "@" symbol, and the second value is everything after. - The
mvindex()function is used to setfrom_domainto the second value in the multivalue fieldaccountname.
- The
- The results are then piped into the
statscommand. The statscount()function is used to count the results of theevalexpression. - The
evaleexpression uses thematch()function to compare thefrom_domainto a regular expression that looks for the different suffixes in the domain. If the value offrom_domainmatches the regular expression, thecountis updated for each suffix,.com,.net, and.org. Other domain suffixes are counted asother.
The results appear on the Statistics tab and look something like this:
| .com | .net | .org | other |
|---|---|---|---|
| 4246 | 9890 | 0 | 3543 |
See also
- Commands
- eval command in the Search Reference
- Related information
- Statistical and charting functions in the Search Reference
- Evaluation functions in the Search Reference
- About evaluating and manipulating fields
Last modified on 11 May, 2020
| Use the stats command and functions | Add sparklines to search results |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.10, 8.1.0, 7.2.3, 8.0.8, 7.0.1, 8.0.7, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 8.0.9, 8.1.1, 8.1.10
