Splunk Eval Examples

Substring

Assuming your search criteria returns a field called mystr

To extract the first N characters of a string use substring(source_field, N):

your search criteria
| eval first_chars=substring(mystr, 5)

If else

Suppose the search criteria returns a field called num

Use if(condition, value_if_true, value_if_false)

your search criteria
| eval is_large_num=if(num > 1000, 1, 0)

Multiple if else

Suppose the search criteria returns a field called num. Note that there is no category when num <= 100

Use case(condition_1, value_when_condition_1, condition_2, value_when_condition_2)

your search criteria
| eval category=case(num > 1000, "very_large", num > 500, "large", num > 100, "medium")

Multiple if else with default option

Suppose the search criteria returns a field called num

Add an extra condition that is always true at the end: true()

your search criteria
| eval category=case(num > 1000, "very_large", num > 500, "large", num > 100, "medium", true(), "low")