Eval Command
Use the eval
command to calculate the value of an expression and display the value in a new field.
Syntax
Operators and Functions Available with the Command
Note:
While thestats
command calculates statistics based on existing fields, the eval
command creates new fields by using existing fields and arbitrary expressions.
*|eval <new_field_name>=<expression>
The following table lists the operators available with the eval
command.
Category | Example |
---|---|
Arithmetic Operators |
+ , - , * , / , % |
Comparison Operators |
= , != , < , > , <= , >= |
Logical Operators |
and , or , not |
Conditional Operators |
if(<expression>,<expression>,<expression>) |
Multiple Comparison Operators |
in , not in |
The following table lists the functions available with the eval
command.
Category | Example |
---|---|
String Functions |
|
Numeric Functions |
|
Date Functions |
|
Network Functions |
|
Note:
-
For the
concat()
function, you can input numeric data types like integer, float, or long. The numeric fields with be automatically converted to the corresponding string values. -
You can use
||
to concatenate n number of inputs. Here too, you can input numeric data types which will be automatically converted to the corresponding string values.
Parameters
The following table lists the parameters used in this command, along with their descriptions.
Parameter | Description |
---|---|
|
Specify the name of the field where the calculated value of the expression is to be displayed. |
|
Specify the expression for which the value needs to be calculated. |
Supported Types for the unit
function
Unit Names:
BYTE
KILOBYTE | KB
MEGABYTE | MB
GIGABYTE | GB
TERABYTE | TB
PETABYTE | PB
EXABYTE | EB
MICRO | µs
MILLISECOND | MS
S | SEC | SECS | SECOND | SECONDS
M | MIN | MINS | MINUTE | MINUTES
H | HR | HRS | HOUR | HOURS
D | DAY | DAYS
W | WEEK | WEEKS
MON | MONTH | MONTHS
Y | YR | YRS | YEAR | YEARS
PERCENT | PCT
Supported Currency Types in the unit
Function
Specify the currency unit using the following format:
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_k)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_m)
eval <New Field> = unit(<Field>, currency_<ISO-4217 Code>_b)
The suffixes _k
, _m
and _b
are
used to indicate the currency in thousands, millions or billions, respectively. For
a full list of currency codes, see ISO Standards.
NLS_Territory |
Currency |
---|---|
AFGHANISTAN | AFN |
ALBANIA | ALL |
ALGERIA | DZD |
AMERICA | USD |
ANGOLA | AOA |
ANTIGUA AND BARBUDA | XCD |
ARGENTINA | ARS |
ARMENIA | AMD |
ARUBA | AWG |
AUSTRALIA | AUD |
AUSTRIA | EUR |
AZERBAIJAN | AZN |
BAHAMAS | BSD |
BAHRAIN | BHD |
BANGLADESH | BDT |
BARBADOS | BBD |
BELARUS | BYN |
BELGIUM | EUR |
BELIZE | BZD |
BERMUDA | BMD |
BOLIVIA | BOB |
BOSNIA AND HERZEGOVINA | BAM |
BOTSWANA | BWP |
BRAZIL | BRL |
BULGARIA | BGN |
CAMBODIA | KHR |
CAMEROON | XAF |
CANADA | CAD |
CAYMAN ISLANDS | KYD |
CHILE | CLP |
CHINA | CNY |
COLOMBIA | COP |
CONGO BRAZZAVILLE | XAF |
CONGO KINSHASA | CDF |
COSTA RICA | CRC |
CROATIA | HRK |
CURACAO | ANG |
CYPRUS | EUR |
CZECH REPUBLIC | CZK |
DENMARK | DKK |
DJIBOUTI | DJF |
DOMINICA | XCD |
DOMINICAN REPUBLIC | DOP |
ECUADOR | USD |
EGYPT | EGP |
EL SALVADOR | SVC |
ESTONIA | EUR |
ETHIOPIA | ETB |
FINLAND | EUR |
FRANCE | EUR |
FYR MACEDONIA | MKD |
GABON | XAF |
GEORGIA | GEL |
GERMANY | EUR |
GHANA | GHS |
GREECE | EUR |
GRENADA | XCD |
GUATEMALA | GTQ |
GUYANA | GYD |
HAITI | HTG |
HONDURAS | HNL |
HONG KONG | HKD |
HUNGARY | HUF |
ICELAND | ISK |
INDIA | INR |
INDONESIA | IDR |
IRAN | IRR |
IRAQ | IQD |
IRELAND | EUR |
ISRAEL | ILS |
ITALY | EUR |
IVORY COAST | XOF |
JAMAICA | JMD |
JAPAN | JPY |
JORDAN | JOD |
KAZAKHSTAN | KZT |
KENYA | KES |
KOREA | KRW |
KUWAIT | KWD |
KYRGYZSTAN | KGS |
LAOS | LAK |
LATVIA | EUR |
LEBANON | LBP |
LIBYA | LYD |
LIECHTENSTEIN | CHF |
LITHUANIA | EUR |
LUXEMBOURG | EUR |
MACAO | MOP |
MALAWI | MWK |
MALAYSIA | MYR |
MALDIVES | MVR |
MALTA | EUR |
MAURITANIA | MRU |
MAURITIUS | MUR |
MEXICO | MXN |
MOLDOVA | MDL |
MONTENEGRO | EUR |
MOROCCO | MAD |
MOZAMBIQUE | MZN |
MYANMAR | MMK |
NAMIBIA | NAD |
NEPAL | NPR |
NEW ZEALAND | NZD |
NICARAGUA | NIO |
NIGERIA | NGN |
NORWAY | NOK |
OMAN | OMR |
PAKISTAN | PKR |
PANAMA | PAB |
PARAGUAY | PYG |
PERU | PEN |
PHILIPPINES | PHP |
POLAND | PLN |
PORTUGAL | EUR |
PUERTO RICO | USD |
QATAR | QAR |
ROMANIA | RON |
RUSSIA | RUB |
SAINT KITTS AND NEVIS | XCD |
SAINT LUCIA | XCD |
SAUDI ARABIA | SAR |
SENEGAL | XOF |
SERBIA | RSD |
SIERRA LEONE | SLL |
SINGAPORE | SGD |
SLOVAKIA | EUR |
SLOVENIA | EUR |
SOMALIA | SOS |
SOUTH AFRICA | ZAR |
SOUTH SUDAN | SSP |
SPAIN | EUR |
SRI LANKA | LKR |
SUDAN | SDG |
SURINAME | SRD |
SWAZILAND | SZL |
SWEDEN | SEK |
SWITZERLAND | CHF |
SYRIA | SYP |
TAIWAN | TWD |
TANZANIA | TZS |
THAILAND | THB |
THE NETHERLANDS | EUR |
TRINIDAD AND TOBAGO | TTD |
TUNISIA | TND |
TURKEY | TRY |
TURKMENISTAN | TMT |
UGANDA | UGX |
UKRAINE | UAH |
UNITED ARAB EMIRATES | AED |
UNITED KINGDOM | GBP |
URUGUAY | UYU |
UZBEKISTAN | UZS |
VENEZUELA | VES |
VIETNAM | VND |
YEMEN | YER |
ZAMBIA | ZMW |
ZIMBABWE | ZWL |
url
Function Details
The syntax for the url
function:
url(String, Name, Parameter)
Name and Parameter values are optional.
- String: This can be a URL or one of the predefined short names. For
example:
eval Link = url('https://www.oracle.com')
- Name: Optional Name for the URL. For
example:
eval Link = url('https://www.oracle.com', 'Oracle Home Page')
- Parameter: Optional parameter if a short-cut is used for String.
For
example:
eval Link = url('tech', 'Search Oracle', 'ORA-600')
For examples of using this command in typical scenarios, see:
- Rename the Fields by Editing the Query in Using Oracle Log Analytics
- Histogram Chart Options in Using Oracle Log Analytics
- Visualize Time Series Data Using the Link Trend Feature in Using Oracle Log Analytics
- Generate Charts with Virtual Fields in Using Oracle Log Analytics
- Link by Using SQL Statement as the Field of Analysis in Using Oracle Log Analytics
- Analyze the Time Taken Between Steps in a Transaction in Using Oracle Log Analytics
- Use Link Navigation Functions to Identify Events in a Database in Using Oracle Log Analytics
- Use the Currency Symbols in Your Log Analysis in Using Oracle Log Analytics
Following are some examples of the eval
command.
*|eval newField = 'foo'
*|eval newField = 123
*|eval newField = upper(Target)
*|eval newField = length('hello world')
*|eval newField = replace('aabbcc', 'bb', 'xx')
*|eval newField = concat(host, concat (':', port))
*|eval newField = host || ':'|| port
*|eval newField = url('Destination URL')
*|eval newField = substr('aabbcc', 2, 4)
*|eval newField = round(123.4)
*|eval newField = unit('Content Size', KB)
eval 'File Size (bytes)' = unit('File Size', 'byte')
eval 'File Size (KB)' = unit('File Size'/1024, 'kb')
eval 'File Size (MB)' = unit('File Size'/(1024*1024), 'mb')
eval 'Time Taken (Sec)' = unit('Time Taken (ms)'/1000, 'SEC')
*|eval newField = floor(4096/1024)+Length
*|eval newField = if (max(Length)(Target), length(Severity)) <= 20, 'OK', 'ERROR')
*|eval newField = urldecode('http%3A%2F%2Fexample.com%3A893%2Fsolr%2FCORE_0_0%2Fquery')
*|eval newField = 'Host Name (Destination)' in (host1, host2)
The following example compares the IP addresses in the field srvrhostip
to a subnet range.
*|eval newField = if (cidrmatch(srvrhostip, '192.0.2.254/25') = 1, 'local', 'not local')
The following example returns the string “Target”.
*|eval newField = literal(Target)
The following example removes the spaces and tabs from both the ends.
*|eval newField = trim(Label)
The following example removes the matching character from both the ends.
*|eval newField = trim('User Name',h)
The following example removes the matching character from the left end.
*|eval newField = ltrim('Error ID',0)
The following example removes the matching character from the right end.
*|eval newField = rtrim('OS Process ID',2)
The following example sets the field date
to Start Date
and defines the format of the date as MM/dd/yyyy HH:mm
.
*|eval date = toDate('Start Date', 'MM/dd/yyyy HH:mm')
The following example sets the value of the field duration
to 1.30
.
*|eval duration = toduration("1.30")
The following example sets the value of the field duration
to a numerical value which is the difference of End Time
and Start Time
.
*|eval duration = formatDuration('End Time' - 'Start Time')
The following examples illustrate the use of date functions.
*| eval lastHour = dateAdd(now(), hour, -1)
*| eval midnight = dateSet(now(), hour, 0, minute, 0, sec, 0, msec, 0)
*| eval timeOnly = formatDate(now(), 'HH:mm:ss')
*| eval now = now()
The following example sets the value of the field newField
with the position of .com
in the uri
string.
*|eval newField = indexOf(uri, '.com')
You can use the md5, sha1, and sha256 hash functions with the eval command to filter log data. The following example sets the value of the field user
with the value sha1("jane")
.
*|eval user = sha1("jane")
A field with a size or duration type unit would be used to format the values in the Link Analyze chart, addfields histograms and the Link Table:
'Log Source' = 'FMW WebLogic Server Access Logs'
| link span = 5minute Time, Server
| stats avg('Duration') as 'Raw Avg. Duration'
avg('Content Size') as 'Raw Avg. Transfer Size'
| eval 'Average Duration' = unit('Raw Avg. Duration', ms)
| eval 'Average Transfer Size' = unit('Raw Avg. Transfer Size', byte)
| classify 'Start Time', 'Average Duration',
'Average Transfer Size' as 'Response Time vs. Download Sizes'
Mark a field as containing US Dollars, thousands of US Dollars, millions of US Dollars, or billions of US Dollars, respectively:
| eval 'Amount in USD' = unit('Sales Price', usd)
| eval 'Amount in Thousands (USD)' = usd('Quarterly Sales', usd_thousand)
| eval 'Amount in Millions (USD)' = usd('Annual Profit', usd_million)
| eval 'Amount in Billions (USD)' = usd('Annual Sales', usd_billion)