So within these eval commands, string values will be double quoted. The only field that isn't brand new here is this sales field, which was created in the stats command, and is now being modified within this last eval command to concatenate a dollar sign, which is wrapped in double quotes, being treated as a string and being concatenated to the values stored in sales, converted over to a string with this tostring function of the eval command, which is adding commas to these numeric values, resulting in monetary values stored within the sales field. Each one of these eval commands is creating a brand new field. In this search, we have three separate eval commands. Performance will take the value of "Needs immediate evaluation", "Underperformer", or "Overperformer". We are evaluating multiple different conditions that will return to true or false and set the value of Performance to see these values here highlighted in green. The case function is a function of the eval command. This field is being set equal to this expression that contains a case function. We are then creating a brand new field called Performance. We're computing a total price by each state. Here we see an example search where we're looking across our retail sales data for all retail events that are coming from the US. And then lastly, we have a set of comparison operators that allow us to compare values to each other and see where we have values greater than, less than, greater than or equal to, less than or equal to, and even use the LIKE operator if we were interested in working with wildcards. XOR will take two arguments and it will result in true if they are different, and false if they are the same. Now, Boolean operators are ones that we all may be familiar with, those being an AND Boolean operator, OR, NOT and XOR. Numbers will be concatenated in their string-represented form. The period concatenation operator operator will concatenate both strings and numbers. The plus operator accepts two numbers for addition or two strings for concatenation. We have two different concatenation operators, a plus and a dot. The operators that are available are arithmetic operators, where we can perform a sum, difference, multiplication, division, or the modulo operator, which is the remainder from a division operation. Now, as I mentioned, the eval command supports its own set of functions, and it also supports a set of operators that can be used within the eval expression. It will only modify the values of these fields at search time. The eval coming out is not overwriting or changing any of the already indexed data. Now, if we're writing to a preexisting field using the eval command, this will modify the actual values of that field, as we see here highlighted in red in this E column. Once we create that new field using the eval command, that new field will be added to this table with its set of values down this column. We can see we have a table with fields A through D. If we are creating a brand new field using the eval command, that brand new field is going to be added to our results, as we see here on the very right hand side. It will have its own separate, unique set of functions that can be used with it. The difference being the eval command does not share the same family of functions as the stats command. Now, the eval command has its own set of functions that it supports, Just like other commands such as the stats, chart, timechart command. When we create these newer preexisting fields and write the results of an expression, we can train all of these expressions together within one single eval command. Once that field is created using the eval command, we can use that field in the subsequent lines of our SPL in the search pipeline. The eval command is a very powerful command that allows us to write the results of an expression to a new or preexisting field. Before we learn about these types of functions, let's take a brief look at how the eval command is used. The eval command can be used to modify field values through the use of conversion, text, and conditional functions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |