If the field name that you specify does not match a field in the output, a new field is added to the search results.

If the field name that you specify matches a field name that already exists in the search results, the results of the eval expression overwrite the values in that field.

The stats command calculates statistics based on fields in your events. The eval command creates new fields in your events by using existing fields and an arbitrary expression.

homework Server's Time

host=homework usr=* | eval timesstamp=strftime(_time, "%I:%M") | table timesstamp usr

Add a field to each event which is the time between this event and the previous one. duration between events

failed*
| sort _time  
| streamstats current=f global=f window=1 last(_time) as last_ts  
| eval time_since_last = _time - last_ts  
| fieldformat time_since_last = tostring(time_since_last, "duration")

Use the if function to analyze field values

Create a field called error in each event. Using the if function, set the value in the error field to OK if the status value is 200. Otherwise set the error field value to Problem.

... | eval error = if(status == 200, "OK", "Problem")

Use the value of one field as the name for a new field

In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field.

index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value

Set status to some simple http error codes

source="access_30day.log" | eval error_msg = case(status == 404, "Not found", status == 500, "Internal Server Error", status == 200, "OK")

source="access_30day.log" | eval error_msg = case(status == 404, "Not found", status == 500, "Internal Server Error", status == 200, "OK") | table  error_msg

Avail Rajesh Kumar as trainer at 50% Discount Puppet Online Training Enroll Now Puppet Classroom TrainingEnroll Now