eval

Use the eval command to calculate the value of an expression and display the value in a new field.

Note

  • While the stats command calculates statistics based on existing fields, the eval command creates new fields by using existing fields and arbitrary expressions.

  • String processing functions like indexof and substr are resource intensive. Due to this, running the eval command with these functions against large number of log records, or large field values is not recommended. Instead, extract these values using the Extended Field Definitions (EFD) or Labels in your Log Source. See Use Extended Fields in Sources and Use Labels in Sources.

  • Ensure that the field name used in the eval command does not contain the characters [ and ].

Syntax

*|eval <new_field_name>=<expression>

Operators and Functions Available with the Command:

The following table lists the operators available with the eval command.

Category Example

Arithmetic Operators

+, -, *, /, %

Comparison Operators

=, !=, <, >, <=, >=

Logical Operators

and, or, not

Conditional Operators

if(<expression>,<expression>,<expression>)

Multiple Comparison Operators

in, not in

The following table lists the functions available with the eval command.

String Functions

Generally, the input for the functions can be literal string or string field.

Function Description Example

capitalize(String)

Capitalize the first character of the string.

capitalize("hello world") results in "Hello world".

When severity="fatal", capitalize(severity) results in "Fatal".

concat(String, String)

Joins two or more strings together end to end, into one single string.

  • For the concat() function, you can input numeric data types like integer, float, or long. The numeric fields with be automatically converted to the corresponding string values.

  • You can use || to concatenate n number of inputs. Here too, you can input numeric data types which will be automatically converted to the corresponding string values.

concat("System, Error") results in "SystemError".

When severity="fatal" and host="my_host_123", concat(severity, concat("_", host)) results in "fatal_my_host_123".

decode64(String)

Decodes the Base64 encoded text back to readable (UTF-8) string so it can be displayed in results table or used otherwise. Use this function to see the actual content when a log payload or metadata field is encoded.

Note: If the string value is a field, it must be a case-sensitive field.

decode64("SGVsbG8gV29ybGQ=") results in "Hello Word".

encode64(String)

Encodes the input string into Base64 format.

encode64("Hello World") results in "SGVsbG8gV29ybGQ=".

fieldName(String)

Returns the name of the specified field as a string.

fieldName(Entity) results in "Entity". (Returns the string name of the field referenced)

fieldType(String)

Returns the data type of the specified field, for example, STRING, NUMBER.

fieldType(Entity) returns "STRING".

fieldType(Content_Size) returns "NUMBER".

indexof (String, String [,int])

Returns the position (index) of the first occurrence of a substring (literal string or string field) within a string (literal string or string field). You can optionally specify a starting index for the search using the optional third argument.

See indexof Function Details.

indexOf("error_log_01", "_") returns 5.

indexOf("error_log_01", "_", 6) returns 9. (Starts searching at specified index=6)

lastindexof(String, String, int)

Returns the position (index) of the last occurrence of a substring (literal string or string field) within a string (literal string or string field). You can optionally specify a starting index to search from (search backwards from).

See lastindexof Function Details.

lastIndexOf("error_log_01", "_") returns 9.

lastIndexOf("error_log_01", "_", 8) returns 5. (Searches backward starting from index=8).

length(String)

Returns the number of characters in the string.

length("Oracle") returns 6

length(host1) returns 10. (where the value of the referenced host1 is a 10 character string, host1="my_host_13")

literal(String)

Converts a field value or expression into a literal string.

literal(Severity) returns "Severity" (returns the field name as a static string)

lower(String)

Converts all characters in the string to lower case.

lower("WARNING") returns "warning"

When severity="FATAL", lower(severity) returns "fatal"

ltrim(String, Character)

Removes leading whitespace (when no second argument is specified) or a specified set of characters (optional second argument) from the beginning (left) of the string.

ltrim(" data") returns "data"

ltrim("xxdata", "x") returns "data"

replace(String, String, String, String, String, ..)

Replaces occurrences of a substring with a new string. You can provide multiple pairs of search and replacement strings to perform multiple substitutions at once.

See replace Function Details.

replace("aabbcc", "bb", "xx") returns "aaxxcc"

replace("aabbcc", "aa", "11", "cc", "33") returns "11bb33"

reverse(String)

Reverses the order of the characters in the string.

reverse("flow") returns "wolf"

rtrim(String, Character)

Removes trailing whitespace of a specified set of characters from the end (right side) of the string.

rtrim("data ") returns "data"

rtrim("dataxxx", "x") returns "data"

substr(String, int [, int])

Returns a portion of the string, starting at the specified index. You can optionally specify the length of the substring to return.

See substr Function Details.

substr("OCI Log Analytics", 4) returns "Log Analytics"

substr("OCI Log Analytics", 0, 3) returns "OCI"

todate(String [, format])

Converts a string timestamp into a Date object. You can optionally specify the format to use to parse the string timestamp.

toDate("2025-01-01") returns 2025-01-01T00:00:00.00Z

toDate("01/01/2025", "MM/dd/yyyy") returns 2025-01-01T00:00:00.00Z

toduration(String)

Coverts a string representing duration time (HH:mm:ss) into a Duration object, allowing for time math and comparison operations.

toDuration("1:30:00") returns 1:30:00 (this represents a duration of 1 hour and 30 mins)

tonumber(String)

Converts a string representation of a number into an actual numeric data type.

toNumber("400") returns 400

When employees = "2000", value of toNumber(employees) is 2000

trim(String, Character)

Removes whitespace from both ends of a string (default), or removes the specified substring if provided as the second argument (optional).

trim(" 12Error12 ") returns "12Error12"

trim("12Error12", "12") returns "Error"

upper(String)

Converts all characters in the string to upper case.

upper("warning") returns "WARNING"

When severity="fatal", upper(severity) returns "FATAL"

urlDecode(String)

Decodes a URL-encoded string back to it's original format.

urlDecode("query%20text") returns "query text"

urlEncode(String)

Encodes a string into it's equivalent URL format.

urlEncode("query text") returns "query%20text"

url(String [, Name [, Parameter]])

Creates a clickable URL link (default), with display name and parameters if specified in the second and third optional arguments, respectively.

See url Function Details and Oracle-Defined url Short-Cuts.

url("https://oracle.com", "Home") returns Home (that redirects to the URL given)

Numeric Functions

Function Description Example

abs(number)

Returns the absolute value (positive) of a number.

abs(-13) returns 13

ceil(number)

Rounds a number up to the nearest whole number (integer).

ceil(10.2) returns 11

distance(number, number, number, number)

Calculates the distance between two sets of coordinates given in numbers. The value returned by the function is in miles. The numbers are in degrees. toRadians() converts degrees to radians.

distance(0.71, -1.2, 0.5, -1.1) returns 892.29

distance(string, string)

Calculates the distance between two sets of coordinates given in strings. The value returned by the function is in miles. The numbers are in degrees.

distance('0.71, -1.2', '0.5, -1.1') returns 892.29

floor(number)

Rounds a number down to the nearest whole number (integer).

floor(13.8) returns 13

formatduration(number)

Converts a numeric duration value (in seconds) into the time-code HH:mm:ss format.

formatDuration(3660) returns 01:01:00

max(number, number)

Returns the higher value of the two provided numbers.

max(13, 27) returns 27

min(number, number)

Returns the lower value of the two provided numbers.

min(13, 27) returns 13

power(number, int)

Returns the value of a number raised to the specified power.

power(2, 3) returns 8

round(number, int)

Rounds a number to the nearest whole number (default), or to a specific number of decimal places if provided in the second argument.

round(13.3) returns 13

round(10.576, 2) returns 10.58

sqrt(number)

Calculates the square root of a number.

sqrt(16) returns 4

tostring(number)

Coverts a numeric value into a string.

toString(200) returns "200"

unit(number, unit).

Formats a number with the specific unit provided, for example, KB, MB, byte, sec.

See Supported Types for the unit Function, Supported Currency Types in the unit Function, and String Functions.

unit(1024, KB) returns 1024 KB

Date Functions

Similar to where command, you can use human readable string to manipulate time in the query. For example, to create a new field named 10mins Later that's 10 minutes ahead of the value in the Time field:

* | eval '10mins Later' = Time + 10mins

See User-Friendly Time Strings in Comparisons.

Function Description Example

dateadd(date, property, amount)

Adds or subtracts the specified amount of time (property = hour, day, min, etc.) from a date.

dateAdd(now(), day, 1) returns following day's date

dateset(date, property, value [, property, value])

Sets a specific part of a date (that is, setting the hour to 0 to find "midnight").

dateSet(now(), hour, 0) returns today at 00:00

formatdate(date [,format])

Formats a date object into a custom string for display

now() = the current date (01/27) and time.

formatDate(now(), "MM/dd") returns 01/27

now()

Returns the current system date and time.

now() returns 2026-01-28T23:16:53Z (current date and time)

Conditional Functions

Function Description Example

cidrmatch(String, String)

Checks if an IP address belongs to a specific CIDR block.

cidrMatch("192.168.1.15", "192.168.1.0/24") returns true

contains(String, String)

Returns true if the first string contains the second string. Otherwise returns false.

contains("error_log_123", "error") returns true

contains("error_log_123", "666") returns false

endsWith(String, String)

Returns true if the string (first argument) ends with the specified substring (second argument). Otherwise returns false.

endsWith("image.png", "png") returns true

if(<expression1>, <expression2>, <expression3>)

Evaluates a condition expression1 and returns expression2 if true, returns expression3 if false.

When Status = 200, if(Status == 200, "OK", "ERROR") returns "OK"

startsWith(String, String)

Returns true if the string starts with the specified substring.

startsWith("http://www.example.com", "http") returns true

anyOf(condition1, condition2, ..., conditionN)

Returns true if any of the conditions is true, otherwise returns false.

When Severity="ERROR", anyOf(Severity=="ERROR", Severity=="WARNING", Severity=="FATAL" ) returns true

allOf(condition1, condition2, ..., conditionN)

Returns true if all the conditions are true, otherwise returns false.

When Severity="ERROR", anyOf(Severity=="ERROR", Severity=="WARNING", Severity=="FATAL" ) returns false

anyFields(wildCardExpression) = value

Returns true if any of the fields has the specified value, otherwise returns false.

When StatusId = 34721, anyFields('*Id') = 34721 returns true (checks for values of all fields that have Id in the field name)

allFields(wildCardExpression) = value

Returns true if all the fields have the specified value, otherwise returns false.

When StatusId = 34721, allFields('*Id') = 34721 returns false (checks for values of all fields that have Id in the field name)

For examples of the use of functions anyOf, allOf, anyFields, and allFields, see search and where.

Hash Functions

Function Description Example

md5(<value to hash>)

Generates an MD5 hash of the input value.

md5("password123") returns 42f749ade7f9e195bf475f37a44cafcb

sha1(<value to hash>)

Generates a SHA-1 hash of the input value.

sha1("data") returns 84983c60f7daadc1cb86986216801e7929f60fef

sha256(<value to hash>)

Generates a SHA-256 hash of the input value.

sha256("data") returns 3a6eb0790f39ac87c94f3856b2dd2c5d110e6811602261a9a923d3bb23adc8b7

sha512(<value to hash>)

Generates a SHA-512 of the input value.

sha512("data") returns 0a747012543e1d6d84d169e54d0399d8d1e34582f34e6d425b8b...

Note: md5 and sha functions currently operate on the lower case field values.

Trigonometric Functions

Function Description Example

arccos(<number>)

Returns the arccosine (inverse cosine) of a number in radians.

arccos(1) returns 0

arcsin(<number>)

Returns the arcsine (inverse sine) of a number in radians.

arcsin(1) returns 1.570796

arctan(<number>)

Returns the arctangent of a number in radians.

arctan(1) returns 0.785398 (decimal approx of π/4)

atan2(<numbera>,<numberb>)

Returns the arctangent of the quotient of its arguments (y=num1,x=num2).

Angle in radians on a polar coordinate, for the cartesian coordinates a=num1 and b=num2.

arctan(1) returns 0.785398 (decimal approx of π/4)

cos(<number>)

Returns the cosine of an angle in radians.

cos(0) returns 1

e()

Returns the mathematical constant e (approximately 2.718).

e() returns 2.718281

pi()

Returns the mathematical constant pi (approximately 3.141)

pi() returns 3.141592...

sin(<number>)

Returns the sine of an angle in radians.

sin(1.5708) returns 1

tan(<number>)

Returns the tangent of an angle in radians.

tan(0.7854) returns 1

toDegrees(<number>)

Converts an angle from radians to degrees.

toDegrees(3.14159) returns 180

toRadians(<number>)

Converts an angle from degrees to radians.

toRadians(180) returns 3.14159

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter Description

new_field_name

Specify the name of the field where the calculated value of the expression is to be displayed.

expression

Specify the expression for which the value needs to be calculated.

Following are some examples of the eval command.

*|eval newField = 'foo'
*|eval newField = 123
*|eval newField = upper(Target)
*|eval newField = length('hello world')
*|eval s =capitalize(severity)
*|eval newField = concat(host, concat (':', port))
*|eval n = contains(uri, '.com')
*|eval n =endsWith(uri, '.com')
*|eval n =startsWith(uri, 'http://oracle')
*|eval s = decode64(value)
*|eval s = encode64(uri)
*|eval s = reverse(Command)
*|eval newField = host || ':'|| port
*|eval newField = round(123.4)
*|eval newField = floor(4096/1024)+Length
*|eval newField = if (max(Length)(Target), length(Severity)) <= 20, 'OK', 'ERROR')
*|eval newField = urlDecode('http%3A%2F%2Fexample.com%3A893%2Fsolr%2FCORE_0_0%2Fquery')
*|eval s = urlEncode(uri)
*|eval newField = 'Host Name (Destination)' in (host1, host2)
*|eval value = arccos(angle)
*|eval value = arcsin(angle)
*|eval value = arctan(angle)
*|eval value = atan2(x, y)
*|eval value = cos(angle)
*|eval value = e()
*|eval value = pi()
*|eval value = sin(angle)
*|eval value = tan(angle)
*|eval value =toDegrees(angle)
*|eval value =toRadians(angle)

The following example compares the IP addresses in the field srvrhostip to a subnet range.

*|eval newField = if (cidrmatch(srvrhostip, '192.0.2.254/25') = 1, 'local', 'not local')

The following example returns the string “Target”.

*|eval newField = literal(Target)

The following example removes the spaces and tabs from both the ends.

*|eval newField = trim(Label)

The following example removes the matching character from both the ends.

*|eval newField = trim('User Name',h)

The following example removes the matching character from the left end.

*|eval newField = ltrim('Error ID',0)

The following example removes the matching character from the right end.

*|eval newField = rtrim('OS Process ID',2)

The following example sets the field date to Start Date and defines the format of the date as MM/dd/yyyy HH:mm.

*|eval date = toDate('Start Date', 'MM/dd/yyyy HH:mm')

The function toDate can also be used to handle epoch as follows:

... | where 'Start Time' > toDate(1405544998000)

The following example sets the value of the field duration to 1.30.

*|eval duration = toduration("1.30")

The following example sets the value of the field duration to a numerical value which is the difference of End Time and Start Time.

*|eval duration = formatDuration('End Time' - 'Start Time')

The following examples illustrate the use of date functions.

*| eval lastHour = dateAdd(now(), hour, -1)
*| eval midnight = dateSet(now(), hour, 0, minute, 0, sec, 0, msec, 0)
*| eval timeOnly = formatDate(now(), 'HH:mm:ss')
*| eval now = now()

You can use the md5, sha1, sha256, and sha512 hash functions with the eval command to filter log data. The following example sets the value of the field user with the value sha1("jane").

*|eval user = sha1("jane")

The following example converts a hex to a decimal and n evaluates to 255:

* | eval n = toNumber('0xFF')

The following example converts an octal number to a decimal and n evaluates to 10:

* | eval n = toNumber('012')

The following command calculates the distance (in miles) between two pairs of lat-long coordinates specified in degrees, when the input values are numbers:

* | eval n = distance(lat1, long1, lat2, long2) 

The following command calculates the distance (in miles) between two pairs of lat-long coordinates (in degrees), when the input values are two strings:

* | eval n = distance('lat1,long1', 'lat2,long2')

Examples for unit Function

You can use unit function with Link, Pie, Bar, or any table charts.

Some simple examples:

* | eval newField = unit('Content Size', KB)
* | eval 'File Size (bytes)' = unit('File Size', 'byte')
* | eval 'File Size (KB)' = unit('File Size'/1024, 'kb')
* | eval 'File Size (MB)' = unit('File Size'/(1024*1024), 'mb')
* | eval 'Time Taken (Sec)' = unit(Time/1000, 'SEC')

Examples for common units like bytes, currency, and duration:

* | eval Vol = unit('Content Size Out', byte) | stats sum(Vol) as 'Total Volume'
* | eval Sales = unit('Sales Amount', currency_usd) | stats sum('Sales') as 'Total Sales'
* | eval 'Disk Read Time' = unit('Disk Read Time (millis)', ms) | stats avg('Disk Read Time') as 'Avg Disk Read Time'

Run the above three queries on Tile visualization with the option Format Number checked, for the best results.

A field with a size or duration type unit would be used to format the values in the Link Analyze chart, addfields histograms, Link Table, and Tile visualization:

'Log Source' = 'FMW WebLogic Server Access Logs'
| link span = 5minute Time, Server
| stats avg('Duration')     as 'Raw Avg. Duration'
        avg('Content Size') as 'Raw Avg. Transfer Size'
| eval 'Average Duration'      = unit('Raw Avg. Duration', ms)
| eval 'Average Transfer Size' = unit('Raw Avg. Transfer Size', byte)
| classify 'Start Time', 'Average Duration', 
          'Average Transfer Size' as 'Response Time vs. Download Sizes'

Mark a field as containing US Dollars, thousands of US Dollars, millions of US Dollars, or billions of US Dollars, respectively:

| eval 'Amount in USD' = unit('Sales Price', currency_usd)
| eval 'Amount in Thousands (USD)' = usd('Quarterly Sales', currency_usd_thousand)
| eval 'Amount in Millions (USD)' = usd('Annual Profit', currency_usd_million)
| eval 'Amount in Billions (USD)' = usd('Annual Sales', currency_usd_billion)

Supported Types for the unit Function

Unit Names:

  • PERCENT | PCT
  • Data size:
    • BYTE
    • KILOBYTE | KB
    • MEGABYTE | MB
    • GIGABYTE | GB
    • TERABYTE | TB
    • PETABYTE | PB
    • EXABYTE | EB
  • Time:
    • MILLISECOND | MS
    • S | SEC | SECS | SECOND | SECONDS
    • M | MIN | MINS | MINUTE | MINUTES
    • H | HR | HRS | HOUR | HOURS
    • D | DAY | DAYS
    • W | WEEK | WEEKS
    • MON | MONTH | MONTHS
    • Y | YR | YRS | YEAR | YEARS
    • MICRO | µs
  • Power:
    • WATT
    • KILOWATT | kW
    • MEGAWATT | MW
    • GIGAWATT | GW
    • TERAWATT | TW
    • PETAWATT | PW
    • EXAWATT | EW
  • Temperature:
    • KELVIN | K
    • CELSIUS | C
    • FAHRENHEIT | F
  • Frequency:
    • HERTZ | Hz
    • KILOHERTZ | kHz
    • MEGAHERTZ | MHz
    • GIGAHERTZ | GHz
    • TERAHERTZ | THz
    • PETAHERTZ | PHz
    • EXAHERTZ | EHz

Supported Currency Types in the unit Function

See eval command example links for using the function in typical scenarios.

Specify the currency unit using the following format:

eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_k)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_m)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_b)

The suffixes _k, _m and _b are used to indicate the currency in thousands, millions or billions, respectively. For a full list of currency codes, see ISO Standards.

NLS_Territory Currency
AFGHANISTAN AFN
ALBANIA ALL
ALGERIA DZD
AMERICA USD
ANGOLA AOA
ANTIGUA AND BARBUDA XCD
ARGENTINA ARS
ARMENIA AMD
ARUBA AWG
AUSTRALIA AUD
AUSTRIA EUR
AZERBAIJAN AZN
BAHAMAS BSD
BAHRAIN BHD
BANGLADESH BDT
BARBADOS BBD
BELARUS BYN
BELGIUM EUR
BELIZE BZD
BERMUDA BMD
BOLIVIA BOB
BOSNIA AND HERZEGOVINA BAM
BOTSWANA BWP
BRAZIL BRL
BULGARIA BGN
CAMBODIA KHR
CAMEROON XAF
CANADA CAD
CAYMAN ISLANDS KYD
CHILE CLP
CHINA CNY
COLOMBIA COP
CONGO BRAZZAVILLE XAF
CONGO KINSHASA CDF
COSTA RICA CRC
CROATIA HRK
CURACAO ANG
CYPRUS EUR
CZECH REPUBLIC CZK
DENMARK DKK
DJIBOUTI DJF
DOMINICA XCD
DOMINICAN REPUBLIC DOP
ECUADOR USD
EGYPT EGP
EL SALVADOR SVC
ESTONIA EUR
ETHIOPIA ETB
FINLAND EUR
FRANCE EUR
FYR MACEDONIA MKD
GABON XAF
GEORGIA GEL
GERMANY EUR
GHANA GHS
GREECE EUR
GRENADA XCD
GUATEMALA GTQ
GUYANA GYD
HAITI HTG
HONDURAS HNL
HONG KONG HKD
HUNGARY HUF
ICELAND ISK
INDIA INR
INDONESIA IDR
IRAN IRR
IRAQ IQD
IRELAND EUR
ISRAEL ILS
ITALY EUR
IVORY COAST XOF
JAMAICA JMD
JAPAN JPY
JORDAN JOD
KAZAKHSTAN KZT
KENYA KES
KOREA KRW
KUWAIT KWD
KYRGYZSTAN KGS
LAOS LAK
LATVIA EUR
LEBANON LBP
LIBYA LYD
LIECHTENSTEIN CHF
LITHUANIA EUR
LUXEMBOURG EUR
MACAO MOP
MALAWI MWK
MALAYSIA MYR
MALDIVES MVR
MALTA EUR
MAURITANIA MRU
MAURITIUS MUR
MEXICO MXN
MOLDOVA MDL
MONTENEGRO EUR
MOROCCO MAD
MOZAMBIQUE MZN
MYANMAR MMK
NAMIBIA NAD
NEPAL NPR
NEW ZEALAND NZD
NICARAGUA NIO
NIGERIA NGN
NORWAY NOK
OMAN OMR
PAKISTAN PKR
PANAMA PAB
PARAGUAY PYG
PERU PEN
PHILIPPINES PHP
POLAND PLN
PORTUGAL EUR
PUERTO RICO USD
QATAR QAR
ROMANIA RON
RUSSIA RUB
SAINT KITTS AND NEVIS XCD
SAINT LUCIA XCD
SAUDI ARABIA SAR
SENEGAL XOF
SERBIA RSD
SIERRA LEONE SLL
SINGAPORE SGD
SLOVAKIA EUR
SLOVENIA EUR
SOMALIA SOS
SOUTH AFRICA ZAR
SOUTH SUDAN SSP
SPAIN EUR
SRI LANKA LKR
SUDAN SDG
SURINAME SRD
SWAZILAND SZL
SWEDEN SEK
SWITZERLAND CHF
SYRIA SYP
TAIWAN TWD
TANZANIA TZS
THAILAND THB
THE NETHERLANDS EUR
TRINIDAD AND TOBAGO TTD
TUNISIA TND
TURKEY TRY
TURKMENISTAN TMT
UGANDA UGX
UKRAINE UAH
UNITED ARAB EMIRATES AED
UNITED KINGDOM GBP
URUGUAY UYU
UZBEKISTAN UZS
VENEZUELA VES
VIETNAM VND
YEMEN YER
ZAMBIA ZMW
ZIMBABWE ZWL

indexof Function Details

The syntax for the index0f function:

indexof (String, String [,int])

indexof (String, String [,start_pos]): Index count begins with 0, returns the index of match starting from the start_pos (if provided), and returns -1 if no match.

The following example sets the value of the field newField with the position of .com in the uri string.

*|eval newField = indexOf(uri, '.com')

Use Case: Extract the relevant portion of the API path from OCI Audit Logs, Path field

The Path field contains a value like /apis/coordination.k8s.io/v1/namespaces/default/leases/oracle.com-oci.

You can extract the value coordination.k8s from the above field by following these steps:

  • Find the position of the first and second / using the indexOf() function.
  • Find the position of the third /.
  • Extract the values after the second /, up to the third /, using the substr() function.
'Log Source' = 'OCI Audit Logs'
| eval firstPos = indexOf(Path, '/')
| eval secondPos = indexOf(Path, '/', firstPos + 1)
| eval API = substr(Path, secondPos + 1, indexOf(Path, '/', secondPos + 1))
| link Path, API

Example output:


Use Case: Extract the relevant portion of the API path from OCI Audit Logs, Path field

lastindexof Function Details

The syntax for the lastindexof function:

lastindexof(String, String, int)

lastindexof (String, String [, end_pos]): Index count begins with 0, returns index of last occurrence of substring before the end_pos (if provided), and returns -1 if no match. The end_pos argument is optional.

Some examples for using lastindexof function:

*|eval n = lastindexof(uri, '.com')

Use Case: Extract the Area from the Type field in OCI Audit Logs

The Type field contains a value like com.oraclecloud.computeApi.GetInstance.

To extract computeAPI from the above value, you could use the following scheme:

  • Identify the position of the last . using lastIndexOf().
  • From this offset, identify the position of the previous ., using another lastIndexOf(), but by providing the offset from where to search back.
  • Extract the value between these two positions using substr().
'Log Source' = 'OCI Audit Logs' 
| eval lastDot = lastIndexOf(Type, '.') 
| eval prevDot = lastIndexOf(Type, '.', lastDot - 1) 
| eval Area    = substr(Type, prevDot + 1, lastDot) 
| link Type, Area

Example output:


Use Case: Extract the Area from the Type field in OCI Audit Logs

replace Function Details

The syntax for the replace function:

replace(String, String, String, String, String, ..)

replace supports multiple replacements in a single function. Some examples for using replace function:

  • *|eval newField = replace('aabbcc', 'bb', 'xx')
  • *|eval newField = replace('aabbcc', 'bb', 'xx', 'cc', 'yy')
  • Example of multiple replace actions in a single replace function:

    * | eval CopiedURL = 'https://cloud.oracle.com/loganalytics/explorer?viz=<VIZ>&encodedQuery=<QUERY>&startTime=<START_TIME>&endTime=<END_TIME>&region=us-phoenix-1&tenant=testtenant'| eval Query = encode64('* | stats count as "Log Records" by "Log Source"') 
    | eval 'Start Epoch' = toString(toNumber(toDate(dateRelative(30day)))) 
    | eval 'End Epoch' = toString(toNumber(now())) 
    | eval Viz = pie 
    | eval URL = replace(CopiedURL, '<VIZ>', Viz, '<QUERY>', Query, '<START_TIME>', 'Start Epoch', '<END_TIME>', 'End Epoch')

substr Function Details

The syntax for the substr function:

substr(String, int [, int])

substr(String, start_pos, end_pos - 1): index count begins with start_pos and ends with the end_pos - 1.

In the following example, newField is the substring of aabbcc where the start index (inclusive) is 2 and end index (exclusive) is 4. Note that for strings, the index count begins with 0. So the resulting substring is bb.

*|eval newField = substr('aabbcc', 2, 4)

For use cases where substr function is used, see indexof Function Details and lastindexof Function Details.

url Function Details

The syntax for the url function:

url(String, Name, Parameter)

Name and Parameter values are optional.

  • String: This can be a URL or one of the predefined short names. For example:
    eval Link = url('https://www.oracle.com')
  • Name: Optional Name for the URL. For example:
    eval Link = url('https://www.oracle.com', 'Oracle Home Page')
  • Parameter: Optional parameter if a short-cut is used for String. For example:
    eval Link = url('tech', 'Search Oracle', 'ORA-600')

Some examples for using url function:

  • * | stats latest(Status) as Status
     | eval ‘HTTP Status Code’ = url(‘https://www.google.com/search?q=http+code+’, Status, Status)
  • Status != null
     | eval 'HTTP Status Code' = url('https://www.google.com/search?q=http+code+', Status, Status)
     | stats count by Status

Examples for using url function after the link command:

  • * | link status
     | eval ‘HTTP Status Code’ = url(‘https://www.google.com/search?q=http+code+’, Status, Status)
  • * | link Type
     | stats latest(Status) as Status
     | eval ‘HTTP Status Code’ = url(‘[https://www.google.com/search?q=http+code+]’, Status, Status)

Oracle-Defined url Short-Cuts

The following Oracle-defined short-cuts are available to use with the url function for eval command.

Short-Cut URL and Description Example

ora

search:oracle

https://www.google.com/search?q=site:oracle.com%20

Generate a link to search all of oracle.com for the specified strings

eval Help = url('ora', 'Search Oracle', 'ORA-600')

eval Help = url('search:oracle', 'Search Oracle', 'ORA-600')

tech

oracle-tech

https://community.oracle.com/tech/search?query=

Generate a link to search Oracle technology forums

eval Help = url('tech', 'Search Oracle Tech Forums', 'ORA-600')

eval Help = url('oracle-tech', 'Search Oracle Tech Forums', 'ORA-600')

mosc

oracle-mosc

https://community.oracle.com/mosc/search?query=

Generate a link to search My Oracle Support forums

eval Help = url('mosc', 'Search Oracle Support', 'ORA-600')

eval Help = url('oracle-mosc', 'Search Oracle Support', 'ORA-600')

google https://www.google.com/search?q=

Generate a link to search using Google

eval 'More Info' = url('google', 'Search using Google', 'ORA-600')

bing https://www.bing.com/search?q=

Generate a link to search using Bing

eval 'More Info' = url('bing', 'Search using Bing', 'ORA-600')

ddg

duckduckgo

https://duckduckgo.com/?q=

Generate a link to search using DuckDuckGo

eval 'More Info' = url('ddg', 'Search using DuckDuckGo', 'ORA-600')

eval 'More Info' = url('duckduckgo', 'Search using DuckDuckGo', 'ORA-600')

so

stackoverflow

https://stackoverflow.com/search?q=

Generate a link to search at StackOverflow

eval 'More Info' = url('so', 'Search using StackOverflow', 'ORA-600')

eval 'More Info' = url('stackoverflow', 'Search using StackOverflow', 'ORA-600')

cve

https://www.cve.org/CVERecord?id=

Generate a link for the given CVE ID

* | link

| eval 'CVE Details' = url(cve, 'CVE-2021-22931 - Improper Null Termination in Node.js', 'CVE-2021-22931')

Generates a link to https://www.cve.org/CVERecord?id=CVE-2021-22931