eval
Evaluates expressions to add fields to each record or change the values of existing fields.
Command properties
| Item | Description |
|---|---|
| Command type | Transforming |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Not supported |
Syntax
eval FIELD=EXPR [, FIELD=EXPR ...]
FIELD- Name of the field to assign a value to
EXPR- Expression to assign to the field. You can reference constants, functions, and other fields.
- You can assign multiple fields at once by separating them with commas (
,). - Within the same
evalcommand, a previously assigned field can be referenced in a subsequent expression.
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 20100 | 할당자(=) 가 없습니다. | The assignment operator (=) is missing |
| 20101 | 필드 이름이 없습니다. | The field name is empty |
| 20102 | 표현식이 없습니다. | The expression to assign is empty |
Runtime errors
N/A
Description
The eval command evaluates an expression for each input record and assigns the result to the specified field. If the field already exists, its value is overwritten. If it does not exist, a new field is added.
Examples
-
Calculate field values
json "{}" | eval sent = 100, rcvd = 200, total = sent + rcvdAssigns
sentandrcvdfields, then assigns the sum of the two values to thetotalfield. -
Type conversion using a function
json "{}" | eval num = int("100")Converts the string
"100"to an integer and assigns it to thenumfield. -
String concatenation
json "{}" | eval msg = concat("hello", ", world")Concatenates strings using the
concatfunction and assigns the result to themsgfield. -
Add a field using a conditional expression
table duration=1h WEB_LOGS | eval result = if(status == 200, "success", "fail")Assigns
successorfailto theresultfield based on the value of thestatusfield.