`eval`

Use the eval command to calculate the value of an expression and display the value in a new field.

Note

While the stats command calculates statistics based on existing fields, the eval command creates new fields by using existing fields and arbitrary expressions.
String processing functions like indexof and substr are resource intensive. Due to this, running the eval command with these functions against large number of log records, or large field values is not recommended. Instead, extract these values using the Extended Field Definitions (EFD) or Labels in your Log Source. See Use Extended Fields in Sources and Use Labels in Sources.
Ensure that the field name used in the eval command does not contain the characters [ and ].

Syntax

*|eval <new_field_name>=<expression>

Operators and Functions Available with the Command:

The following table lists the operators available with the eval command.

Category	Example
Arithmetic Operators	`+`, `-`, `*`, `/`, `%`
Comparison Operators	`=`, `!=`, `<`, `>`, `<=`, `>=`
Logical Operators	`and`, `or`, `not`
Conditional Operators	`if(<expression>,<expression>,<expression>)`
Multiple Comparison Operators	`in`, `not in`

The following table lists the functions available with the eval command.

String Functions

Generally, the input for the functions can be literal string or string field.

Function	Description	Example
`capitalize(String)`	Capitalize the first character of the string.	`capitalize("hello world")` results in `"Hello world"`. When `severity="fatal"`, `capitalize(severity)` results in `"Fatal"`.
`concat(String, String)`	Joins two or more strings together end to end, into one single string. For the `concat()` function, you can input numeric data types like integer, float, or long. The numeric fields with be automatically converted to the corresponding string values. You can use `\|\|` to concatenate n number of inputs. Here too, you can input numeric data types which will be automatically converted to the corresponding string values.	`concat("System, Error")` results in `"SystemError"`. When `severity="fatal"` and `host="my_host_123"`, `concat(severity, concat("_", host))` results in `"fatal_my_host_123"`.
`decode64(String)`	Decodes the Base64 encoded text back to readable (UTF-8) string so it can be displayed in results table or used otherwise. Use this function to see the actual content when a log payload or metadata field is encoded. Note: If the string value is a field, it must be a case-sensitive field.	`decode64("SGVsbG8gV29ybGQ=")` results in `"Hello Word"`.
`encode64(String)`	Encodes the input string into Base64 format.	`encode64("Hello World")` results in `"SGVsbG8gV29ybGQ="`.
`fieldName(String)`	Returns the name of the specified field as a string.	`fieldName(Entity)` results in `"Entity"`. (Returns the string name of the field referenced)
`fieldType(String)`	Returns the data type of the specified field, for example, STRING, NUMBER.	`fieldType(Entity)` returns `"STRING"`. `fieldType(Content_Size)` returns `"NUMBER"`.
`indexof (String, String [,int])`	Returns the position (index) of the first occurrence of a substring (literal string or string field) within a string (literal string or string field). You can optionally specify a starting index for the search using the optional third argument. See indexof Function Details.	`indexOf("error_log_01", "_")` returns `5`. `indexOf("error_log_01", "_", 6)` returns `9`. (Starts searching at specified index=6)
`lastindexof(String, String, int)`	Returns the position (index) of the last occurrence of a substring (literal string or string field) within a string (literal string or string field). You can optionally specify a starting index to search from (search backwards from). See lastindexof Function Details.	`lastIndexOf("error_log_01", "_")` returns `9`. `lastIndexOf("error_log_01", "_", 8)` returns `5`. (Searches backward starting from index=8).
`length(String)`	Returns the number of characters in the string.	`length("Oracle")` returns `6` `length(host1)` returns `10`. (where the value of the referenced host1 is a 10 character string, host1="my_host_13")
`literal(String)`	Converts a field value or expression into a literal string.	`literal(Severity)` returns `"Severity"` (returns the field name as a static string)
`lower(String)`	Converts all characters in the string to lower case.	`lower("WARNING")` returns `"warning"` When `severity="FATAL"`, `lower(severity)` returns `"fatal"`
`ltrim(String, Character)`	Removes leading whitespace (when no second argument is specified) or a specified set of characters (optional second argument) from the beginning (left) of the string.	`ltrim(" data")` returns `"data"` `ltrim("xxdata", "x")` returns `"data"`
`replace(String, String, String, String, String, ..)`	Replaces occurrences of a substring with a new string. You can provide multiple pairs of search and replacement strings to perform multiple substitutions at once. See replace Function Details.	`replace("aabbcc", "bb", "xx")` returns `"aaxxcc"` `replace("aabbcc", "aa", "11", "cc", "33")` returns `"11bb33"`
`reverse(String)`	Reverses the order of the characters in the string.	`reverse("flow")` returns `"wolf"`
`rtrim(String, Character)`	Removes trailing whitespace of a specified set of characters from the end (right side) of the string.	`rtrim("data ")` returns `"data"` `rtrim("dataxxx", "x")` returns `"data"`
`substr(String, int [, int])`	Returns a portion of the string, starting at the specified index. You can optionally specify the length of the substring to return. See substr Function Details.	`substr("OCI Log Analytics", 4)` returns `"Log Analytics"` `substr("OCI Log Analytics", 0, 3)` returns `"OCI"`
`todate(String [, format])`	Converts a string timestamp into a Date object. You can optionally specify the format to use to parse the string timestamp.	`toDate("2025-01-01")` returns `2025-01-01T00:00:00.00Z` `toDate("01/01/2025", "MM/dd/yyyy")` returns `2025-01-01T00:00:00.00Z`
`toduration(String)`	Coverts a string representing duration time (HH:mm:ss) into a Duration object, allowing for time math and comparison operations.	`toDuration("1:30:00")` returns `1:30:00` (this represents a duration of 1 hour and 30 mins)
`tonumber(String)`	Converts a string representation of a number into an actual numeric data type.	`toNumber("400")` returns `400` When `employees = "2000"`, value of `toNumber(employees)` is `2000`
`trim(String, Character)`	Removes whitespace from both ends of a string (default), or removes the specified substring if provided as the second argument (optional).	`trim(" 12Error12 ")` returns `"12Error12"` `trim("12Error12", "12")` returns `"Error"`
`upper(String)`	Converts all characters in the string to upper case.	`upper("warning")` returns `"WARNING"` When `severity="fatal"`, `upper(severity)` returns `"FATAL"`
`urlDecode(String)`	Decodes a URL-encoded string back to it's original format.	`urlDecode("query%20text")` returns `"query text"`
`urlEncode(String)`	Encodes a string into it's equivalent URL format.	`urlEncode("query text")` returns `"query%20text"`
`url(String [, Name [, Parameter]])`	Creates a clickable URL link (default), with display name and parameters if specified in the second and third optional arguments, respectively. See url Function Details and Oracle-Defined url Short-Cuts.	`url("https://oracle.com", "Home")` returns `Home` (that redirects to the URL given)

Numeric Functions

Function	Description	Example
`abs(number)`	Returns the absolute value (positive) of a number.	`abs(-13)` returns `13`
`ceil(number)`	Rounds a number up to the nearest whole number (integer).	`ceil(10.2)` returns `11`
`distance(number, number, number, number)`	Calculates the distance between two sets of coordinates given in numbers. The value returned by the function is in miles. The numbers are in degrees. `toRadians()` converts degrees to radians.	`distance(0.71, -1.2, 0.5, -1.1)` returns `892.29`
`distance(string, string)`	Calculates the distance between two sets of coordinates given in strings. The value returned by the function is in miles. The numbers are in degrees.	`distance('0.71, -1.2', '0.5, -1.1')` returns `892.29`
`floor(number)`	Rounds a number down to the nearest whole number (integer).	`floor(13.8)` returns `13`
`formatduration(number)`	Converts a numeric duration value (in seconds) into the time-code HH:mm:ss format.	`formatDuration(3660)` returns `01:01:00`
`max(number, number)`	Returns the higher value of the two provided numbers.	`max(13, 27)` returns `27`
`min(number, number)`	Returns the lower value of the two provided numbers.	`min(13, 27)` returns `13`
`power(number, int)`	Returns the value of a number raised to the specified power.	`power(2, 3)` returns `8`
`round(number, int)`	Rounds a number to the nearest whole number (default), or to a specific number of decimal places if provided in the second argument.	`round(13.3)` returns `13` `round(10.576, 2)` returns `10.58`
`sqrt(number)`	Calculates the square root of a number.	`sqrt(16)` returns `4`
`tostring(number)`	Coverts a numeric value into a string.	`toString(200)` returns `"200"`
`unit(number, unit)`.	Formats a number with the specific unit provided, for example, KB, MB, byte, sec. See Supported Types for the unit Function, Supported Currency Types in the unit Function, and String Functions.	`unit(1024, KB)` returns `1024 KB`

Date Functions

Similar to where command, you can use human readable string to manipulate time in the query. For example, to create a new field named 10mins Later that's 10 minutes ahead of the value in the Time field:

* | eval '10mins Later' = Time + 10mins

See User-Friendly Time Strings in Comparisons.

Function	Description	Example
`dateadd(date, property, amount)`	Adds or subtracts the specified amount of time (property = hour, day, min, etc.) from a date.	`dateAdd(now(), day, 1)` returns `following day's date`
`dateset(date, property, value [, property, value])`	Sets a specific part of a date (that is, setting the hour to 0 to find "midnight").	`dateSet(now(), hour, 0)` returns `today at 00:00`
`formatdate(date [,format])`	Formats a date object into a custom string for display	`now() = the current date (01/27) and time.` `formatDate(now(), "MM/dd")` returns `01/27`
`now()`	Returns the current system date and time.	`now()` returns `2026-01-28T23:16:53Z` (current date and time)

Conditional Functions

Function	Description	Example
`cidrmatch(String, String)`	Checks if an IP address belongs to a specific CIDR block.	`cidrMatch("192.168.1.15", "192.168.1.0/24")` returns `true`
`contains(String, String)`	Returns true if the first string contains the second string. Otherwise returns false.	`contains("error_log_123", "error")` returns `true` `contains("error_log_123", "666")` returns `false`
`endsWith(String, String)`	Returns true if the string (first argument) ends with the specified substring (second argument). Otherwise returns false.	`endsWith("image.png", "png")` returns `true`
`if(<expression1>, <expression2>, <expression3>)`	Evaluates a condition expression1 and returns expression2 if true, returns expression3 if false.	When `Status = 200`, `if(Status == 200, "OK", "ERROR")` returns `"OK"`
`startsWith(String, String)`	Returns true if the string starts with the specified substring.	`startsWith("http://www.example.com", "http")` returns `true`
`anyOf(condition1, condition2, ..., conditionN)`	Returns true if any of the conditions is true, otherwise returns false.	When `Severity="ERROR"`, `anyOf(Severity=="ERROR", Severity=="WARNING", Severity=="FATAL" )` returns `true`
`allOf(condition1, condition2, ..., conditionN)`	Returns true if all the conditions are true, otherwise returns false.	When `Severity="ERROR"`, `anyOf(Severity=="ERROR", Severity=="WARNING", Severity=="FATAL" )` returns `false`
`anyFields(wildCardExpression) = value`	Returns true if any of the fields has the specified value, otherwise returns false.	When `StatusId = 34721`, `anyFields('*Id') = 34721` returns `true` (checks for values of all fields that have `Id` in the field name)
`allFields(wildCardExpression) = value`	Returns true if all the fields have the specified value, otherwise returns false.	When `StatusId = 34721`, `allFields('*Id') = 34721` returns `false` (checks for values of all fields that have `Id` in the field name)

For examples of the use of functions anyOf, allOf, anyFields, and allFields, see search and where.

Hash Functions

Function	Description	Example
`md5(<value to hash>)`	Generates an MD5 hash of the input value.	`md5("password123")` returns `42f749ade7f9e195bf475f37a44cafcb`
`sha1(<value to hash>)`	Generates a SHA-1 hash of the input value.	`sha1("data")` returns `84983c60f7daadc1cb86986216801e7929f60fef`
`sha256(<value to hash>)`	Generates a SHA-256 hash of the input value.	`sha256("data")` returns `3a6eb0790f39ac87c94f3856b2dd2c5d110e6811602261a9a923d3bb23adc8b7`
`sha512(<value to hash>)`	Generates a SHA-512 of the input value.	`sha512("data")` returns `0a747012543e1d6d84d169e54d0399d8d1e34582f34e6d425b8b...`

Note: md5 and sha functions currently operate on the lower case field values.

Trigonometric Functions

Function	Description	Example
`arccos(<number>)`	Returns the arccosine (inverse cosine) of a number in radians.	`arccos(1)` returns `0`
`arcsin(<number>)`	Returns the arcsine (inverse sine) of a number in radians.	`arcsin(1)` returns `1.570796`
`arctan(<number>)`	Returns the arctangent of a number in radians.	`arctan(1)` returns `0.785398` (decimal approx of π/4)
`atan2(<numbera>,<numberb>)`	Returns the arctangent of the quotient of its arguments (y=num1,x=num2). Angle in radians on a polar coordinate, for the cartesian coordinates a=num1 and b=num2.	`arctan(1)` returns `0.785398` (decimal approx of π/4)
`cos(<number>)`	Returns the cosine of an angle in radians.	`cos(0)` returns `1`
`e()`	Returns the mathematical constant e (approximately 2.718).	`e()` returns `2.718281`
`pi()`	Returns the mathematical constant pi (approximately 3.141)	`pi()` returns `3.141592...`
`sin(<number>)`	Returns the sine of an angle in radians.	`sin(1.5708)` returns `1`
`tan(<number>)`	Returns the tangent of an angle in radians.	`tan(0.7854)` returns `1`
`toDegrees(<number>)`	Converts an angle from radians to degrees.	`toDegrees(3.14159)` returns `180`
`toRadians(<number>)`	Converts an angle from degrees to radians.	`toRadians(180)` returns `3.14159`

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter	Description
`new_field_name`	Specify the name of the field where the calculated value of the expression is to be displayed.
`expression`	Specify the expression for which the value needs to be calculated.

For examples of using this command in typical scenarios, see:

Following are some examples of the eval command.

*|eval newField = 'foo'

*|eval newField = 123

*|eval newField = upper(Target)

*|eval newField = length('hello world')

*|eval s =capitalize(severity)

*|eval newField = concat(host, concat (':', port))

*|eval n = contains(uri, '.com')

*|eval n =endsWith(uri, '.com')

*|eval n =startsWith(uri, 'http://oracle')

*|eval s = decode64(value)

*|eval s = encode64(uri)

*|eval s = reverse(Command)

*|eval newField = host || ':'|| port

*|eval newField = round(123.4)

*|eval newField = floor(4096/1024)+Length

*|eval newField = if (max(Length)(Target), length(Severity)) <= 20, 'OK', 'ERROR')

*|eval newField = urlDecode('http%3A%2F%2Fexample.com%3A893%2Fsolr%2FCORE_0_0%2Fquery')

*|eval s = urlEncode(uri)

*|eval newField = 'Host Name (Destination)' in (host1, host2)

*|eval value = arccos(angle)

*|eval value = arcsin(angle)

*|eval value = arctan(angle)

*|eval value = atan2(x, y)

*|eval value = cos(angle)

*|eval value = e()

*|eval value = pi()

*|eval value = sin(angle)

*|eval value = tan(angle)

*|eval value =toDegrees(angle)

*|eval value =toRadians(angle)

The following example compares the IP addresses in the field srvrhostip to a subnet range.

*|eval newField = if (cidrmatch(srvrhostip, '192.0.2.254/25') = 1, 'local', 'not local')

The following example returns the string “Target”.

*|eval newField = literal(Target)

The following example removes the spaces and tabs from both the ends.

*|eval newField = trim(Label)

The following example removes the matching character from both the ends.

*|eval newField = trim('User Name',h)

The following example removes the matching character from the left end.

*|eval newField = ltrim('Error ID',0)

The following example removes the matching character from the right end.

*|eval newField = rtrim('OS Process ID',2)

The following example sets the field date to Start Date and defines the format of the date as MM/dd/yyyy HH:mm.

*|eval date = toDate('Start Date', 'MM/dd/yyyy HH:mm')

The function toDate can also be used to handle epoch as follows:

... | where 'Start Time' > toDate(1405544998000)

The following example sets the value of the field duration to 1.30.

*|eval duration = toduration("1.30")

The following example sets the value of the field duration to a numerical value which is the difference of End Time and Start Time.

*|eval duration = formatDuration('End Time' - 'Start Time')

The following examples illustrate the use of date functions.

*| eval lastHour = dateAdd(now(), hour, -1)
*| eval midnight = dateSet(now(), hour, 0, minute, 0, sec, 0, msec, 0)
*| eval timeOnly = formatDate(now(), 'HH:mm:ss')
*| eval now = now()

You can use the md5, sha1, sha256, and sha512 hash functions with the eval command to filter log data. The following example sets the value of the field user with the value sha1("jane").

*|eval user = sha1("jane")

The following example converts a hex to a decimal and n evaluates to 255:

* | eval n = toNumber('0xFF')

The following example converts an octal number to a decimal and n evaluates to 10:

* | eval n = toNumber('012')

The following command calculates the distance (in miles) between two pairs of lat-long coordinates specified in degrees, when the input values are numbers:

* | eval n = distance(lat1, long1, lat2, long2)

The following command calculates the distance (in miles) between two pairs of lat-long coordinates (in degrees), when the input values are two strings:

* | eval n = distance('lat1,long1', 'lat2,long2')

Examples for unit Function

You can use unit function with Link, Pie, Bar, or any table charts.

Some simple examples:

* | eval newField = unit('Content Size', KB)

* | eval 'File Size (bytes)' = unit('File Size', 'byte')

* | eval 'File Size (KB)' = unit('File Size'/1024, 'kb')

* | eval 'File Size (MB)' = unit('File Size'/(1024*1024), 'mb')

* | eval 'Time Taken (Sec)' = unit(Time/1000, 'SEC')

Examples for common units like bytes, currency, and duration:

* | eval Vol = unit('Content Size Out', byte) | stats sum(Vol) as 'Total Volume'

* | eval Sales = unit('Sales Amount', currency_usd) | stats sum('Sales') as 'Total Sales'

* | eval 'Disk Read Time' = unit('Disk Read Time (millis)', ms) | stats avg('Disk Read Time') as 'Avg Disk Read Time'

Run the above three queries on Tile visualization with the option Format Number checked, for the best results.

A field with a size or duration type unit would be used to format the values in the Link Analyze chart, addfields histograms, Link Table, and Tile visualization:

'Log Source' = 'FMW WebLogic Server Access Logs'
| link span = 5minute Time, Server
| stats avg('Duration')     as 'Raw Avg. Duration'
        avg('Content Size') as 'Raw Avg. Transfer Size'
| eval 'Average Duration'      = unit('Raw Avg. Duration', ms)
| eval 'Average Transfer Size' = unit('Raw Avg. Transfer Size', byte)
| classify 'Start Time', 'Average Duration', 
          'Average Transfer Size' as 'Response Time vs. Download Sizes'

Mark a field as containing US Dollars, thousands of US Dollars, millions of US Dollars, or billions of US Dollars, respectively:

| eval 'Amount in USD' = unit('Sales Price', currency_usd)
| eval 'Amount in Thousands (USD)' = usd('Quarterly Sales', currency_usd_thousand)
| eval 'Amount in Millions (USD)' = usd('Annual Profit', currency_usd_million)
| eval 'Amount in Billions (USD)' = usd('Annual Sales', currency_usd_billion)

Supported Types for the `unit` Function

Unit Names:

PERCENT | PCT
Data size:
- BYTE
- KILOBYTE | KB
- MEGABYTE | MB
- GIGABYTE | GB
- TERABYTE | TB
- PETABYTE | PB
- EXABYTE | EB
Time:
- MILLISECOND | MS
- S | SEC | SECS | SECOND | SECONDS
- M | MIN | MINS | MINUTE | MINUTES
- H | HR | HRS | HOUR | HOURS
- D | DAY | DAYS
- W | WEEK | WEEKS
- MON | MONTH | MONTHS
- Y | YR | YRS | YEAR | YEARS
- MICRO | µs
Power:
- WATT
- KILOWATT | kW
- MEGAWATT | MW
- GIGAWATT | GW
- TERAWATT | TW
- PETAWATT | PW
- EXAWATT | EW
Temperature:
- KELVIN | K
- CELSIUS | C
- FAHRENHEIT | F
Frequency:
- HERTZ | Hz
- KILOHERTZ | kHz
- MEGAHERTZ | MHz
- GIGAHERTZ | GHz
- TERAHERTZ | THz
- PETAHERTZ | PHz
- EXAHERTZ | EHz

Supported Currency Types in the `unit` Function

See eval command example links for using the function in typical scenarios.

Specify the currency unit using the following format:

eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_k)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_m)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_b)

The suffixes _k, _m and _b are used to indicate the currency in thousands, millions or billions, respectively. For a full list of currency codes, see ISO Standards.

`NLS_Territory`	Currency
AFGHANISTAN	AFN
ALBANIA	ALL
ALGERIA	DZD
AMERICA	USD
ANGOLA	AOA
ANTIGUA AND BARBUDA	XCD
ARGENTINA	ARS
ARMENIA	AMD
ARUBA	AWG
AUSTRALIA	AUD
AUSTRIA	EUR
AZERBAIJAN	AZN
BAHAMAS	BSD
BAHRAIN	BHD
BANGLADESH	BDT
BARBADOS	BBD
BELARUS	BYN
BELGIUM	EUR
BELIZE	BZD
BERMUDA	BMD
BOLIVIA	BOB
BOSNIA AND HERZEGOVINA	BAM
BOTSWANA	BWP
BRAZIL	BRL
BULGARIA	BGN
CAMBODIA	KHR
CAMEROON	XAF
CANADA	CAD
CAYMAN ISLANDS	KYD
CHILE	CLP
CHINA	CNY
COLOMBIA	COP
CONGO BRAZZAVILLE	XAF
CONGO KINSHASA	CDF
COSTA RICA	CRC
CROATIA	HRK
CURACAO	ANG
CYPRUS	EUR
CZECH REPUBLIC	CZK
DENMARK	DKK
DJIBOUTI	DJF
DOMINICA	XCD
DOMINICAN REPUBLIC	DOP
ECUADOR	USD
EGYPT	EGP
EL SALVADOR	SVC
ESTONIA	EUR
ETHIOPIA	ETB
FINLAND	EUR
FRANCE	EUR
FYR MACEDONIA	MKD
GABON	XAF
GEORGIA	GEL
GERMANY	EUR
GHANA	GHS
GREECE	EUR
GRENADA	XCD
GUATEMALA	GTQ
GUYANA	GYD
HAITI	HTG
HONDURAS	HNL
HONG KONG	HKD
HUNGARY	HUF
ICELAND	ISK
INDIA	INR
INDONESIA	IDR
IRAN	IRR
IRAQ	IQD
IRELAND	EUR
ISRAEL	ILS
ITALY	EUR
IVORY COAST	XOF
JAMAICA	JMD
JAPAN	JPY
JORDAN	JOD
KAZAKHSTAN	KZT
KENYA	KES
KOREA	KRW
KUWAIT	KWD
KYRGYZSTAN	KGS
LAOS	LAK
LATVIA	EUR
LEBANON	LBP
LIBYA	LYD
LIECHTENSTEIN	CHF
LITHUANIA	EUR
LUXEMBOURG	EUR
MACAO	MOP
MALAWI	MWK
MALAYSIA	MYR
MALDIVES	MVR
MALTA	EUR
MAURITANIA	MRU
MAURITIUS	MUR
MEXICO	MXN
MOLDOVA	MDL
MONTENEGRO	EUR
MOROCCO	MAD
MOZAMBIQUE	MZN
MYANMAR	MMK
NAMIBIA	NAD
NEPAL	NPR
NEW ZEALAND	NZD
NICARAGUA	NIO
NIGERIA	NGN
NORWAY	NOK
OMAN	OMR
PAKISTAN	PKR
PANAMA	PAB
PARAGUAY	PYG
PERU	PEN
PHILIPPINES	PHP
POLAND	PLN
PORTUGAL	EUR
PUERTO RICO	USD
QATAR	QAR
ROMANIA	RON
RUSSIA	RUB
SAINT KITTS AND NEVIS	XCD
SAINT LUCIA	XCD
SAUDI ARABIA	SAR
SENEGAL	XOF
SERBIA	RSD
SIERRA LEONE	SLL
SINGAPORE	SGD
SLOVAKIA	EUR
SLOVENIA	EUR
SOMALIA	SOS
SOUTH AFRICA	ZAR
SOUTH SUDAN	SSP
SPAIN	EUR
SRI LANKA	LKR
SUDAN	SDG
SURINAME	SRD
SWAZILAND	SZL
SWEDEN	SEK
SWITZERLAND	CHF
SYRIA	SYP
TAIWAN	TWD
TANZANIA	TZS
THAILAND	THB
THE NETHERLANDS	EUR
TRINIDAD AND TOBAGO	TTD
TUNISIA	TND
TURKEY	TRY
TURKMENISTAN	TMT
UGANDA	UGX
UKRAINE	UAH
UNITED ARAB EMIRATES	AED
UNITED KINGDOM	GBP
URUGUAY	UYU
UZBEKISTAN	UZS
VENEZUELA	VES
VIETNAM	VND
YEMEN	YER
ZAMBIA	ZMW
ZIMBABWE	ZWL

`indexof` Function Details

The syntax for the index0f function:

indexof (String, String [,int])

indexof (String, String [,start_pos]): Index count begins with 0, returns the index of match starting from the start_pos (if provided), and returns -1 if no match.

The following example sets the value of the field newField with the position of .com in the uri string.

*|eval newField = indexOf(uri, '.com')

Use Case: Extract the relevant portion of the API path from OCI Audit Logs, Path field

The Path field contains a value like /apis/coordination.k8s.io/v1/namespaces/default/leases/oracle.com-oci.

You can extract the value coordination.k8s from the above field by following these steps:

Find the position of the first and second / using the indexOf() function.
Find the position of the third /.
Extract the values after the second /, up to the third /, using the substr() function.

'Log Source' = 'OCI Audit Logs'
| eval firstPos = indexOf(Path, '/')
| eval secondPos = indexOf(Path, '/', firstPos + 1)
| eval API = substr(Path, secondPos + 1, indexOf(Path, '/', secondPos + 1))
| link Path, API

Example output:

Use Case: Extract the relevant portion of the API path from OCI Audit Logs, Path field

`lastindexof` Function Details

The syntax for the lastindexof function:

lastindexof(String, String, int)

lastindexof (String, String [, end_pos]): Index count begins with 0, returns index of last occurrence of substring before the end_pos (if provided), and returns -1 if no match. The end_pos argument is optional.

Some examples for using lastindexof function:

*|eval n = lastindexof(uri, '.com')

Use Case: Extract the Area from the Type field in OCI Audit Logs

The Type field contains a value like com.oraclecloud.computeApi.GetInstance.

To extract computeAPI from the above value, you could use the following scheme:

Identify the position of the last . using lastIndexOf().
From this offset, identify the position of the previous ., using another lastIndexOf(), but by providing the offset from where to search back.
Extract the value between these two positions using substr().

'Log Source' = 'OCI Audit Logs' 
| eval lastDot = lastIndexOf(Type, '.') 
| eval prevDot = lastIndexOf(Type, '.', lastDot - 1) 
| eval Area    = substr(Type, prevDot + 1, lastDot) 
| link Type, Area

Example output:

Use Case: Extract the Area from the Type field in OCI Audit Logs

`replace` Function Details

The syntax for the replace function:

replace(String, String, String, String, String, ..)

replace supports multiple replacements in a single function. Some examples for using replace function:

*|eval newField = replace('aabbcc', 'bb', 'xx')

*|eval newField = replace('aabbcc', 'bb', 'xx', 'cc', 'yy')

Example of multiple replace actions in a single replace function:

* | eval CopiedURL = 'https://cloud.oracle.com/loganalytics/explorer?viz=<VIZ>&encodedQuery=<QUERY>&startTime=<START_TIME>&endTime=<END_TIME>&region=us-phoenix-1&tenant=testtenant'| eval Query = encode64('* | stats count as "Log Records" by "Log Source"') 
| eval 'Start Epoch' = toString(toNumber(toDate(dateRelative(30day)))) 
| eval 'End Epoch' = toString(toNumber(now())) 
| eval Viz = pie 
| eval URL = replace(CopiedURL, '<VIZ>', Viz, '<QUERY>', Query, '<START_TIME>', 'Start Epoch', '<END_TIME>', 'End Epoch')

`substr` Function Details

The syntax for the substr function:

substr(String, int [, int])

substr(String, start_pos, end_pos - 1): index count begins with start_pos and ends with the end_pos - 1.

In the following example, newField is the substring of aabbcc where the start index (inclusive) is 2 and end index (exclusive) is 4. Note that for strings, the index count begins with 0. So the resulting substring is bb.

*|eval newField = substr('aabbcc', 2, 4)

For use cases where substr function is used, see indexof Function Details and lastindexof Function Details.

`url` Function Details

The syntax for the url function:

url(String, Name, Parameter)

Name and Parameter values are optional.

String: This can be a URL or one of the predefined short names. For example:
```
eval Link = url('https://www.oracle.com')
```

Name: Optional Name for the URL. For example:

eval Link = url('https://www.oracle.com', 'Oracle Home Page')

Parameter: Optional parameter if a short-cut is used for String. For example:
```
eval Link = url('tech', 'Search Oracle', 'ORA-600')
```

Some examples for using url function:

* | stats latest(Status) as Status
 | eval ‘HTTP Status Code’ = url(‘https://www.google.com/search?q=http+code+’, Status, Status)

Status != null
 | eval 'HTTP Status Code' = url('https://www.google.com/search?q=http+code+', Status, Status)
 | stats count by Status

Examples for using url function after the link command:

* | link status
 | eval ‘HTTP Status Code’ = url(‘https://www.google.com/search?q=http+code+’, Status, Status)

* | link Type
 | stats latest(Status) as Status
 | eval ‘HTTP Status Code’ = url(‘[https://www.google.com/search?q=http+code+]’, Status, Status)

Oracle-Defined `url` Short-Cuts

The following Oracle-defined short-cuts are available to use with the url function for eval command.

Short-Cut	URL and Description	Example
ora search:oracle	`https://www.google.com/search?q=site:oracle.com%20` Generate a link to search all of `oracle.com` for the specified strings	`eval Help = url('ora', 'Search Oracle', 'ORA-600')` `eval Help = url('search:oracle', 'Search Oracle', 'ORA-600')`
tech oracle-tech	`https://community.oracle.com/tech/search?query=` Generate a link to search Oracle technology forums	`eval Help = url('tech', 'Search Oracle Tech Forums', 'ORA-600')` `eval Help = url('oracle-tech', 'Search Oracle Tech Forums', 'ORA-600')`
mosc oracle-mosc	`https://community.oracle.com/mosc/search?query=` Generate a link to search My Oracle Support forums	`eval Help = url('mosc', 'Search Oracle Support', 'ORA-600')` `eval Help = url('oracle-mosc', 'Search Oracle Support', 'ORA-600')`
google	`https://www.google.com/search?q=` Generate a link to search using Google	`eval 'More Info' = url('google', 'Search using Google', 'ORA-600')`
bing	`https://www.bing.com/search?q=` Generate a link to search using Bing	`eval 'More Info' = url('bing', 'Search using Bing', 'ORA-600')`
ddg duckduckgo	`https://duckduckgo.com/?q=` Generate a link to search using DuckDuckGo	`eval 'More Info' = url('ddg', 'Search using DuckDuckGo', 'ORA-600')` `eval 'More Info' = url('duckduckgo', 'Search using DuckDuckGo', 'ORA-600')`
so stackoverflow	`https://stackoverflow.com/search?q=` Generate a link to search at StackOverflow	`eval 'More Info' = url('so', 'Search using StackOverflow', 'ORA-600')` `eval 'More Info' = url('stackoverflow', 'Search using StackOverflow', 'ORA-600')`
cve	`https://www.cve.org/CVERecord?id=` Generate a link for the given CVE ID	`* \| link` `\| eval 'CVE Details' = url(cve, 'CVE-2021-22931 - Improper Null Termination in Node.js', 'CVE-2021-22931')` `Generates a link to https://www.cve.org/CVERecord?id=CVE-2021-22931`

Oracle Cloud Infrastructure Documentation

eval

Supported Types for the unit Function

Supported Currency Types in the unit Function

indexof Function Details

lastindexof Function Details

replace Function Details

substr Function Details

url Function Details

Oracle-Defined url Short-Cuts