Eval

Eval command is used to evaluate the expression of a field and save the same value into another field.

Syntax: eval <evaluated field name> = exec (“<script query>”)

where,

<evaluated field name>: To store the data after evaluation of a script query.

<script query>: It is a painless query. In this case, whatever the query is written, it is added same as inline query.

Example: * | eval nf = exec (“return ‘NetForest'”)

Output: This generates a field with the variable name and value assigned within that variable.

Figure 39: EVAL example

When a user hits a query, its result is stored in cache. If the user hits the same request within a minute, the response is provided by cache only, not by the server.

 

Eval almost Anything

OrderNo:3410 | eval trans=$$doc. SessionID. Value + ‘ ‘ + doc.OrderNo.value$$

Above query filters out logs where OrderNo is 3410 and creates a custom field by concatenating value of the Sessionid field followed by OrderNo field.

Note: Inside $$ any NetForest script can be entered.

* | eval respInMillis=$$doc.resptime.value * 1000$$

Above query returns all the logs and create a custom field respInMillis which converts resptime in seconds to milliseconds.

Eval Construct

This query is used to evaluate the expression of field and save the same value into another field

exec () – This function used to take one parameter as argument and treats it as script query to be evaluated.

  • Syntax

eval <evaluated field name> = exec (“<script query>”)

where,
<evaluated field name>: field where we want to store the data after evaluation of script query.

<script query>: This query will be painless query. In this case, whatever the query will be written we will add the same as inline query.

Note: If we want to evaluate field, we have to define the field name within $<field >$ whether the field will be extracted field in case of rex or document field. We internally decide whether the field is extracted field or document field and convert the query accordingly.

  • Examples
  • Add the value in a field.

NFUI Query:  * | eval nf = exec (“return endtime”)

Above query creates custom nf field which contain values NetForest.

Figure 40: Eval Construct
  • Evaluate the document field

NFUI Query:  * | eval nf = exec (“return $tier$”)

Above query creates custom nf field based on value of tier field.

Figure 41
  • Evaluate use of length function.

NFUI Query: * | eval nd = exec (“return $tier$. length ()”)

Above query creates custom nd field based on length of value of tier field.

Figure 42: Eval length function
  • Evaluate combination of extracted and document field and use of replace function.

NFUI Query:  * | rex nf = “([a-z]+)” tier| eval nd =  exec(“return $nf$.replace($tier$, ‘atg’)”)

New field nf will be created with field value containing only alphabet from tier field and another new field nd will created containing value of nf with replacing the tvs with atg.

  • Evaluate combination of extracted and document field and use of substring function.

NFUI Query:  * | rex nf = “([a-z]+.*)” tier| eval nd =  exec(“return $nf$.replace($tier$,’atg’)”)

A new field nf will be created with field value containing only alphabet from tier field and another new field nd will created containing substring 0-3 of nf.

Ex- if nf field contain mosaic then nd field will contain mos.

 

Figure 43: Evaluate substring function
  • Evaluate combination of extracted and document field and use of Uppercase function.

NFUI Query:  * | rex nf = “([a-z]+)” Env| eval nd =  exec(“return $nf$.toUpperCase()”)

New field nf will be created with field value containing only alphabet from tier field and another new field nd will created containing value in upper case of nf.

Ex- if nf field contain prod then nd field will contain LOGKEY.

Figure 44: Evaluate Uppercase Function
  • Evaluate use of concatenate function.

NFUI Query: * | eval nf = exec (“return $tier$.concat(‘condata’)”)

New field nf will be created with value of tier field concate with string “condata” 

Ex- if nf field contain mosaic then nd field will contain mosaiccondata

Figure 45: Evaluate Concanete function
  • Evaluate Date format conversion

NFUI Query: * | eval nf = exec(“def sf = new SimpleDateFormat(‘HH:mm:ss MM-dd-yyyy’); return sf.format(new Date(doc[‘@timestamp’].value));”)

A new field nf will be created with the value having changed date format from the field @timestamp.

Figure 46: Date Format Conversion
  • To find timestamp in specific zone

* | eval nf = exec (“def sf = new SimpleDateFormat(‘HH: mm: ss  MM-dd-yyyy’); sf.setTimeZone(TimeZone.getTimeZone(‘GMT’));return sf.format(new Date(doc[‘@timestamp’].value));”)

New field nf will created which contains changed time format (‘hh:mm: ss. mm-dd-yyyy’) with time zone ‘GMT’.

Figure 47: Timestamp in Specific Zone
  • Extraction from a numeric field.

* | eval nf = exec(“if (doc[‘httpstatuscode’].empty) {return null} def m = /([0-9]+.*)/.matcher(String.valueOf(doc[‘httpstatuscode’].value)); if ( m.matches() ) { return m.group(1) }”)

New field nf will be created which type_cast the numeric field “httpstatuscode” value in string.

Figure 48: Evaluate Numeric Field

Using Evaluation (eval) Feature

This feature is used to evaluate a formula or a regular expression. Below is the syntax (to add two numbers) along with an example to illustrate this feature.

Syntax:

*|eval <variable_name1>= exec (“return $<existing_field_name1>.<function_name>()$”)|eval <variable_name2>= exec(“return $<existing_field_name2>.<function_name>()$”)|eval <variable_name>= exec(“return $variable_name1$+$variable_name2$”)

Example:

*|eval a = exec (“return $tier$.length()”) |eval b= exec(“return $server$.length()”)|eval c = exec(“return $a$+$b$”)

Output: After successful execution of this query, results are displayed in the below format.

Figure 49: Result Format of executed query

Combined Query, Rex, and Eval

We can write complex queries by combining queries with dynamic field extraction.

OrderNo:3410 | rex api1 = “^/([a-zA-Z0-9]+)/.*$” path | eval api1SubStr = substr(api1, 1, 3) | rex api2 = “^/([a-zA-Z]+)/.*$” path | eval api2Length = len(api2)

The above query extracts logs where Order No is 3410 and creates custom fields api1 and api2 from path field and creates api1SubStr field which extracts substring from api1 and api2Length, which is length of the api2 field.

Creating Table from Query

User can create a table from the query itself. Below is the syntax along with an example to illustrate this feature.

Syntax: *|table <field1>, <field2>, <field3>…..

Example: *|table server, tier, Env

Output: If query is executed successfully, then the result is displayed in tabular format with the fields specified as headers.

Figure 50: Creating Table from Query

JOIN Query

Join queries are used to combine results across different types. E.g. we want to join logs based on flowpath id.

_exists_: FPI AND FPI:4774974341223289035|dedup type|join FPI [type: errorlog AND _exists_:FPI]

E.g. above query search for a specific flowpath id delete duplicates based on type and join on FPI.

Previous
Next