The eval command is one of the most useful tools in Splunk. It lets you create new fields, perform calculations, apply conditional logic, and transform data into formats you can actually work with. If you're writing searches, you'll use eval constantly.
What the Eval Command Does
The eval command evaluates expressions and assigns the result to a field. You can use it to create entirely new fields, modify existing ones, or convert data types. Think of it as a calculator that works on your search results in real time.
It's flexible enough to handle simple math like adding two numbers together or complex conditional logic with nested functions. Every value in the field gets evaluated, so you can transform thousands of events in one search.
Basic Eval Syntax
Here's the simplest form:
... | eval new_field = expression
That's it. Replace "new_field" with whatever you want to call your new field, and replace "expression" with the calculation or transformation you want to perform.
If the field already exists, eval updates its values. If it doesn't exist, eval creates it. All events in your search results get the new field, but only the ones matching your expression get populated with the result.
Creating New Fields with Math
Math operations are straightforward. You can add, subtract, multiply, and divide numbers:
source="access.log" | eval response_time_ms = response_time * 1000
This creates a new field called response_time_ms by multiplying the existing response_time field by 1000. Useful when you need to convert units or scale numbers for analysis.
You can combine multiple fields:
source="sales.log" | eval total_cost = quantity * unit_price
Now you have a field showing the total cost for each transaction. Chain operations together however you need.
String Operations
Eval can work with text, not just numbers. The concatenation operator joins strings together:
source="user_activity" | eval full_name = first_name + " " + last_name
This combines first and last names with a space between them. Useful for creating readable identifiers from existing fields.
You can also extract parts of strings using functions like substr():
source="api.log" | eval first_three = substr(api_key, 1, 3)
This extracts the first three characters from the api_key field. String manipulation becomes handy when parsing logs that aren't perfectly structured.
Conditional Logic with If
Sometimes you need different behavior based on a condition. The if() function handles this:
source="errors.log" | eval severity = if(error_code >= 500, "critical", "warning")
If the error code is 500 or higher, the field gets "critical". Otherwise, it gets "warning". Now you can easily filter and group by severity without creating new source data.
You can nest if statements for more complex logic:
source="app.log" | eval status = if(response_code >= 200 AND response_code < 300, "success", if(response_code >= 400 AND response_code < 500, "client_error", "server_error"))
This categorizes response codes into three buckets. Nested ifs get hard to read fast, but they work for situations with multiple conditions.
Want to go deeper?
No Nonsense Introduction to Splunk
Skip the endless docs rabbit hole. This hands-on course takes you from zero to confident with Splunk searches, dashboards, and alerts. Taught by a Splunk Certified Architect with over 10 years of real-world experience.
View the course →Working with Time
Splunk has functions for converting time formats and calculating time differences. The strftime() function converts epoch time to human readable format:
source="events.log" | eval formatted_time = strftime(_time, "%Y-%m-%d %H:%M:%S")
The _time field contains epoch timestamps. strftime() converts it to a readable format with the pattern you specify. This makes log output much easier to read.
You can calculate time differences between fields:
source="transactions.log" | eval processing_duration = end_time - start_time
This gives you the duration in seconds. Useful for performance analysis or identifying slow operations.
Using Case for Multiple Conditions
The case() function handles multiple conditions more cleanly than nested ifs:
source="logs.log" | eval priority = case(level="ERROR", 1, level="WARNING", 2, level="INFO", 3, 1=1, 4)
This maps log levels to priority numbers. The last condition 1=1 is always true and acts as a default fallback. Case statements are easier to read than deeply nested if statements.
Functions for Data Types
Eval includes functions to convert between data types. The tonumber() function converts strings to numbers:
source="csv.log" | eval user_count = tonumber(count_field)
If your CSV import brings in numbers as text, tonumber fixes it so you can do math on them. The tostring() function does the opposite.
The typeof() function tells you what data type a field contains:
... | eval field_type = typeof(some_field)
This helps when debugging searches with unexpected results. It returns "number", "string", "bool", or "null" depending on the field.
Common Eval Patterns
You'll use eval for these situations repeatedly. Calculating percentages from two fields:
... | eval success_rate = (successful / total) * 100
Extracting domains from email addresses:
... | eval email_domain = substr(email, find(email, "@") + 1)
This finds the @ symbol, adds one to skip it, then extracts from that position to the end.
Removing extra whitespace:
... | eval clean_field = trim(field_name)
The trim() function removes leading and trailing spaces. Helpful when field values have inconsistent formatting.
Performance Notes
Eval runs fast, even on millions of events. It evaluates fields on the fly without modifying your source data. However, complex expressions with many nested functions or string operations slow down slightly on very large result sets.
If you're evaluating complex logic on billions of events, consider whether simpler searches or lookahead calculations would be more efficient. For normal searches, eval speed is never the bottleneck.
Where Eval Fits in Your Pipeline
Eval works best after your other filtering and aggregation. First filter with where, then use stats or timechart to aggregate, then eval to transform the results.
source="app.log" error_code=* | stats count by error_code | eval severity = if(error_code >= 500, "critical", "warning")
This filters for errors, counts them by code, then classifies severity. That order keeps things efficient and readable.
You've now seen how eval transforms data and creates the fields you need for analysis. Start using it in your searches and you'll find your analysis becomes much more flexible and powerful.
Ready to level up your Splunk skills? Check out our training course for hands-on practice with search commands and more.
Ready to level up?
No Nonsense Introduction to Splunk
Learn Splunk the practical way. No death-by-slides, no waffle. Just focused video demos with real data and a structured path from installation to dashboards and alerts. From just $4.99 with lifetime access.
Start the course for $4.99 →Relevant lessons in the course