Use stats with eval expressions and functions (2024)

You can embed eval expressions and functions within any of the stats functions. This is a shorthand method for creating a search without using the eval command separately from the stats command.

For example, the following search uses the eval command to filter for a specific error code. Then the stats function is used to count the distinct IP addresses.

status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)

As an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. For example:

status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errors

Use eval expressions to count the different types of requests against each Web server

This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search.

Run the following search to use the stats command to determine the number of different page requests, GET and POST, that occurred for each Web server.

sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host

This example uses eval expressions to specify the different field values for the stats command to count.

  • The first clause uses the count() function to count the Web access events that contain the method field value GET. Then, using the AS keyword, the field that represents these results is renamed GET.
  • The second clause does the same for POST events.
  • The counts of both types of events are then separated by the web server, using the BY clause with the host field.

The results appear on the Statistics tab and look something like this:

hostGETPOST
www184315197
www280974815
www383384654

Use eval expressions to categorize and count fields

This example uses sample email data. You should be able to run this search on any email data by replacing the sourcetype=cisco:esa with the sourcetype value and the mailfrom field with email address field name in your data. For example, the email might be To, From, or Cc).

Find out how much of the email in your organization comes from .com, .net, .org or other top level domains.

The eval command in this search contains two expressions, separated by a comma.

sourcetype="cisco:esa" mailfrom=* | eval accountname=split(mailfrom,"@"), from_domain=mvindex(accountname,-1) | stats count(eval(match(from_domain, "[^\n\r\s]+\.com"))) AS ".com", count(eval(match(from_domain, "[^\n\r\s]+\.net"))) AS ".net", count(eval(match(from_domain, "[^\n\r\s]+\.org"))) AS ".org", count(eval(NOT match(from_domain, "[^\n\r\s]+\.(com|net|org)"))) AS "other"

  • The first part of this search uses the eval command to break up the email address in the mailfrom field. The from_domain is defined as the portion of the mailfrom field after the @ symbol.
    • The split() function is used to break the mailfrom field into a multivalue field called accountname. The first value of accountname is everything before the "@" symbol, and the second value is everything after.
    • The mvindex() function is used to set from_domain to the second value in the multivalue field accountname.
  • The results are then piped into the stats command. The stats count() function is used to count the results of the eval expression.
  • Theeval eexpression uses the match() function to compare the from_domain to a regular expression that looks for the different suffixes in the domain. If the value of from_domain matches the regular expression, the count is updated for each suffix, .com, .net, and .org. Other domain suffixes are counted as other.

The results appear on the Statistics tab and look something like this:

.com.net.orgother
4246989003543

See also

Commands
eval command in the Search Reference
Related information
Statistical and charting functions in the Search Reference
Evaluation functions in the Search Reference
About evaluating and manipulating fields

Last modified on 11 May, 2020

Use the stats command and functionsAdd sparklines to search results

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 7.0.1, 8.0.8, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 8.1.0, 8.1.1, 8.1.10

Use stats with eval expressions and functions (2024)

FAQs

How to use eval in stats? ›

This example uses eval expressions to specify the different field values for the stats command to count.
  1. The first clause uses the count() function to count the Web access events that contain the method field value GET . ...
  2. The second clause does the same for POST events.

How to use the stats function in Splunk? ›

The stats command works on the search results as a whole. The streamstats command calculates statistics for each event at the time the event is seen, in a streaming manner. The eventstats command calculates statistics on all search results and adds the aggregation inline to each event for which it is relevant.

What does the stats command do? ›

Explanation: The values function of the stats command is used in the context of a search query in the Splunk software. It is used to list unique values of a given field. This means that it returns a list of all distinct values that exist in the specified field.

What is the use of eval command in Splunk? ›

eval allows you to take search results and perform all sorts of, well, evaluations of the data. The eval command can help with all this and more: Conditional functions, like if, case and match. Mathematical functions, like round and square root.

What is the eval function expression? ›

The Eval function evaluates the string expression and returns its value. For example, Eval("1 + 1") returns 2. If you pass to the Eval function a string that contains the name of a function, the Eval function returns the return value of the function. For example, Eval("Chr$(65)") returns "A".

What is the use of eval function? ›

eval() is a function property of the global object. The argument of the eval() function is a string. It will evaluate the source string as a script body, which means both statements and expressions are allowed. It returns the completion value of the code.

What is the difference between stats and eventstats in Splunk? ›

If called without a by clause, one row is produced, which represents the aggregation over the entire incoming result set. Eventstats calculates a statistical result same as stats command only difference is it does not create statistical results, it aggregates them to the original raw data.

Which of the following are common functions used with the stats command? ›

Stats Command
FunctionExamples
Latestlatest(field_name) latest('Error ID')
Trendtrend(duration) trend trend(1hr)
Average Note: This function is supported only for numeric fields.avg(field_name) avg('Content Size')
Distinct Countdistinctcount(field_name) distinctcount(Severity)
9 more rows

What is the difference between stats and transaction commands in Splunk? ›

Stats provides the aggregation. transaction provides the unique number / count.

What is the use of stat command? ›

The 'stat' command is a powerful tool for Linux users needing detailed file and file system information. Its versatility in handling multiple files, customizable outputs, and comprehensive display of attributes makes it indispensable for effective file management and system administration tasks.

What do you use stats for? ›

Statistics are used in business to detect market trends and sales results, in education to determine teaching method effectiveness, in government to detect changes in population demographics and effectiveness of public policy, and in sports to examine player and team successes and capabilities.

What is the stat function call? ›

The stat() system call returns data on the size and parameters associated with a file. The call is issued by the ls -l command and other similar functions.

What are stats in Splunk? ›

The stats command is a fundamental Splunk command. It will perform any number of statistical functions on a field, which could be as simple as a count or average, or something more advanced like a percentile or standard deviation.

What are eval commands? ›

The eval command concatenates the arguments into a single string, parses the string as a shell command line, and executes it. After executing the concatenated command line, eval returns its exit status as the exit status of eval . If there are no arguments or only empty arguments, eval returns the exit status 0 .

Is eval function safe? ›

Security risks when eval() is used improperly

JavaScript's eval() function is a powerful tool that can execute code stored as a string. However, it also poses a security risk when used improperly.

How to use eval function in R? ›

What is eval function in R?
  1. Step 1 - Define a vector. a <- 58 b <- 63 c <- expression(a+b)
  2. Step 2 - Apply eval() eval() returns the result of the input expression. ...
  3. Step 3 - Define a vector (string) For string objects, parse () has to be passed along with the eval() for getting the output of the expression.
Aug 12, 2022

What does eval command do? ›

The eval command concatenates the arguments into a single string, parses the string as a shell command line, and executes it. After executing the concatenated command line, eval returns its exit status as the exit status of eval . If there are no arguments or only empty arguments, eval returns the exit status 0 .

How do you test eval? ›

The first method is the Eval() function which the most used function in websites. If you pass a valid javascript code as a string to this function it can execute the code. Please press on the - Test Eval() - button to see if the Eval function is working or disabled in your browser.

What is the eval function in math? ›

The most common use of the eval function is to evaluate an expression e at a given point x=a. For example, eval(x^2+3*x+2,x=1) evaluates the polynomial x^2+3*x+2 at the point obtaining 6.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Nathanial Hackett

Last Updated:

Views: 5929

Rating: 4.1 / 5 (72 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.