1. Using Oracle Log Analytics Search
  2. Command Reference
  3. Eval Command

Eval Command

Use the eval command to calculate the value of an expression and display the value in a new field.

Syntax

Operators and Functions Available with the Command

Note:

While the stats command calculates statistics based on existing fields, the eval command creates new fields by using existing fields and arbitrary expressions. 
*|eval <new_field_name>=<expression>

The following table lists the operators available with the eval command.

Category Example

Arithmetic Operators

 +, -, *, /, %

Comparison Operators

 =, !=, <, >, <=, >=

Logical Operators

 and, or, not

Conditional Operators

 if(<expression>,<expression>,<expression>)

Multiple Comparison Operators

 in, not in

The following table lists the functions available with the eval command.

Category Example

String Functions

  • concat(String, String)

  • indexof (String, String [,int])

  • length(String)

  • literal(String)

  • lower(String)

  • ltrim(String, Character)

  • replace(String, String, String)

  • rtrim(String, Character)

  • substr(String, int [, int])

  • todate(String [, format])

  • toduration(String)

  • tonumber(String)

  • trim(String)

  • trim(String, Character)

  • upper(String)

  • urldecode(String)

  • url(String [, Name [, Parameter]])

    See url Function Details.

Numeric Functions

Date Functions

  • dateadd(date, property, amount)

  • dateset(date, property, value [, property, value])

  • formatdate(date [,format])

  • now()

Network Functions

cidrmatch(String, String)

Note:

  • For the concat() function, you can input numeric data types like integer, float, or long. The numeric fields with be automatically converted to the corresponding string values.

  • You can use || to concatenate n number of inputs. Here too, you can input numeric data types which will be automatically converted to the corresponding string values.

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter Description

new_field_name

Specify the name of the field where the calculated value of the expression is to be displayed.

expression

Specify the expression for which the value needs to be calculated.

Supported Types for the unit function

Unit Names:

  • BYTE
  • KILOBYTE | KB
  • MEGABYTE | MB
  • GIGABYTE | GB
  • TERABYTE | TB
  • PETABYTE | PB
  • EXABYTE | EB
  • MICRO | µs
  • MILLISECOND | MS
  • S | SEC | SECS | SECOND | SECONDS
  • M | MIN | MINS | MINUTE | MINUTES
  • H | HR | HRS | HOUR | HOURS
  • D | DAY | DAYS
  • W | WEEK | WEEKS
  • MON | MONTH | MONTHS
  • Y | YR | YRS | YEAR | YEARS
  • PERCENT | PCT

Supported Currency Types in the unit Function

Specify the currency unit using the following format:

eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_k)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_m)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_b)

The suffixes _k, _m and _b are used to indicate the currency in thousands, millions or billions, respectively. For a full list of currency codes, see ISO Standards.

NLS_Territory Currency
AFGHANISTAN AFN
ALBANIA ALL
ALGERIA DZD
AMERICA USD
ANGOLA AOA
ANTIGUA AND BARBUDA XCD
ARGENTINA ARS
ARMENIA AMD
ARUBA AWG
AUSTRALIA AUD
AUSTRIA EUR
AZERBAIJAN AZN
BAHAMAS BSD
BAHRAIN BHD
BANGLADESH BDT
BARBADOS BBD
BELARUS BYN
BELGIUM EUR
BELIZE BZD
BERMUDA BMD
BOLIVIA BOB
BOSNIA AND HERZEGOVINA BAM
BOTSWANA BWP
BRAZIL BRL
BULGARIA BGN
CAMBODIA KHR
CAMEROON XAF
CANADA CAD
CAYMAN ISLANDS KYD
CHILE CLP
CHINA CNY
COLOMBIA COP
CONGO BRAZZAVILLE XAF
CONGO KINSHASA CDF
COSTA RICA CRC
CROATIA HRK
CURACAO ANG
CYPRUS EUR
CZECH REPUBLIC CZK
DENMARK DKK
DJIBOUTI DJF
DOMINICA XCD
DOMINICAN REPUBLIC DOP
ECUADOR USD
EGYPT EGP
EL SALVADOR SVC
ESTONIA EUR
ETHIOPIA ETB
FINLAND EUR
FRANCE EUR
FYR MACEDONIA MKD
GABON XAF
GEORGIA GEL
GERMANY EUR
GHANA GHS
GREECE EUR
GRENADA XCD
GUATEMALA GTQ
GUYANA GYD
HAITI HTG
HONDURAS HNL
HONG KONG HKD
HUNGARY HUF
ICELAND ISK
INDIA INR
INDONESIA IDR
IRAN IRR
IRAQ IQD
IRELAND EUR
ISRAEL ILS
ITALY EUR
IVORY COAST XOF
JAMAICA JMD
JAPAN JPY
JORDAN JOD
KAZAKHSTAN KZT
KENYA KES
KOREA KRW
KUWAIT KWD
KYRGYZSTAN KGS
LAOS LAK
LATVIA EUR
LEBANON LBP
LIBYA LYD
LIECHTENSTEIN CHF
LITHUANIA EUR
LUXEMBOURG EUR
MACAO MOP
MALAWI MWK
MALAYSIA MYR
MALDIVES MVR
MALTA EUR
MAURITANIA MRU
MAURITIUS MUR
MEXICO MXN
MOLDOVA MDL
MONTENEGRO EUR
MOROCCO MAD
MOZAMBIQUE MZN
MYANMAR MMK
NAMIBIA NAD
NEPAL NPR
NEW ZEALAND NZD
NICARAGUA NIO
NIGERIA NGN
NORWAY NOK
OMAN OMR
PAKISTAN PKR
PANAMA PAB
PARAGUAY PYG
PERU PEN
PHILIPPINES PHP
POLAND PLN
PORTUGAL EUR
PUERTO RICO USD
QATAR QAR
ROMANIA RON
RUSSIA RUB
SAINT KITTS AND NEVIS XCD
SAINT LUCIA XCD
SAUDI ARABIA SAR
SENEGAL XOF
SERBIA RSD
SIERRA LEONE SLL
SINGAPORE SGD
SLOVAKIA EUR
SLOVENIA EUR
SOMALIA SOS
SOUTH AFRICA ZAR
SOUTH SUDAN SSP
SPAIN EUR
SRI LANKA LKR
SUDAN SDG
SURINAME SRD
SWAZILAND SZL
SWEDEN SEK
SWITZERLAND CHF
SYRIA SYP
TAIWAN TWD
TANZANIA TZS
THAILAND THB
THE NETHERLANDS EUR
TRINIDAD AND TOBAGO TTD
TUNISIA TND
TURKEY TRY
TURKMENISTAN TMT
UGANDA UGX
UKRAINE UAH
UNITED ARAB EMIRATES AED
UNITED KINGDOM GBP
URUGUAY UYU
UZBEKISTAN UZS
VENEZUELA VES
VIETNAM VND
YEMEN YER
ZAMBIA ZMW
ZIMBABWE ZWL

url Function Details

The syntax for the url function: 

url(String, Name, Parameter)

Name and Parameter values are optional.

  • String: This can be a URL or one of the predefined short names. For example: 
    eval Link = url('https://www.oracle.com')
  • Name: Optional Name for the URL. For example:
    eval Link = url('https://www.oracle.com', 'Oracle Home Page')
  • Parameter: Optional parameter if a short-cut is used for String. For example:
    eval Link = url('tech', 'Search Oracle', 'ORA-600')

For examples of using this command in typical scenarios, see:

Following are some examples of the eval command. 

*|eval newField = 'foo'
*|eval newField = 123
*|eval newField = upper(Target)
*|eval newField = length('hello world')
*|eval newField = replace('aabbcc', 'bb', 'xx')
*|eval newField = concat(host, concat (':', port))
*|eval newField = host || ':'|| port
*|eval newField = url('Destination URL')
*|eval newField = substr('aabbcc', 2, 4)
*|eval newField = round(123.4)
*|eval newField = unit('Content Size', KB)
eval 'File Size (bytes)' = unit('File Size', 'byte')
eval 'File Size (KB)' = unit('File Size'/1024, 'kb')
eval 'File Size (MB)' = unit('File Size'/(1024*1024), 'mb')
eval 'Time Taken (Sec)' = unit('Time Taken (ms)'/1000, 'SEC')
*|eval newField = floor(4096/1024)+Length
*|eval newField = if (max(Length)(Target), length(Severity)) <= 20, 'OK', 'ERROR')
*|eval newField = urldecode('http%3A%2F%2Fexample.com%3A893%2Fsolr%2FCORE_0_0%2Fquery')
*|eval newField = 'Host Name (Destination)' in (host1, host2)

The following example compares the IP addresses in the field srvrhostip to a subnet range. 

*|eval newField = if (cidrmatch(srvrhostip, '192.0.2.254/25') = 1, 'local', 'not local')

The following example returns the string “Target”.

*|eval newField = literal(Target)

The following example removes the spaces and tabs from both the ends.

*|eval newField = trim(Label)

The following example removes the matching character from both the ends.

*|eval newField = trim('User Name',h)

The following example removes the matching character from the left end.

*|eval newField = ltrim('Error ID',0)

The following example removes the matching character from the right end.

*|eval newField = rtrim('OS Process ID',2)

The following example sets the field date to Start Date and defines the format of the date as MM/dd/yyyy HH:mm. 

*|eval date = toDate('Start Date', 'MM/dd/yyyy HH:mm')

The following example sets the value of the field duration to 1.30. 

*|eval duration = toduration("1.30")

The following example sets the value of the field duration to a numerical value which is the difference of End Time and Start Time. 

*|eval duration = formatDuration('End Time' - 'Start Time')

The following examples illustrate the use of date functions.

*| eval lastHour = dateAdd(now(), hour, -1)
*| eval midnight = dateSet(now(), hour, 0, minute, 0, sec, 0, msec, 0)
*| eval timeOnly = formatDate(now(), 'HH:mm:ss')
*| eval now = now()

The following example sets the value of the field newField with the position of .com in the uri string. 

*|eval newField = indexOf(uri, '.com')

You can use the md5, sha1, and sha256 hash functions with the eval command to filter log data. The following example sets the value of the field user with the value sha1("jane"). 

*|eval user = sha1("jane")

A field with a size or duration type unit would be used to format the values in the Link Analyze chart, addfields histograms and the Link Table: 

'Log Source' = 'FMW WebLogic Server Access Logs'
| link span = 5minute Time, Server
| stats avg('Duration')     as 'Raw Avg. Duration'
        avg('Content Size') as 'Raw Avg. Transfer Size'
| eval 'Average Duration'      = unit('Raw Avg. Duration', ms)
| eval 'Average Transfer Size' = unit('Raw Avg. Transfer Size', byte)
| classify 'Start Time', 'Average Duration', 
          'Average Transfer Size' as 'Response Time vs. Download Sizes'

Mark a field as containing US Dollars, thousands of US Dollars, millions of US Dollars, or billions of US Dollars, respectively:

| eval 'Amount in USD' = unit('Sales Price', usd)
| eval 'Amount in Thousands (USD)' = usd('Quarterly Sales', usd_thousand)
| eval 'Amount in Millions (USD)' = usd('Annual Profit', usd_million)
| eval 'Amount in Billions (USD)' = usd('Annual Sales', usd_billion)