The eval command is used to create a field called Description, which takes the value of "Low", "Mid", or "Deep" based on the Depth of the earthquake. | stats count min(mag) max(mag) by Description | eval Description=case(depth70 AND depth300, "Deep") | from my_dataset where source="all_month.csv" We'll use Low, Mid, and Deep for the category names. Deep-focus earthquakes occur at depths greater than 300 km. Mid-focus earthquakes occur at depths between 70 and 300 km. Shallow-focus earthquakes occur at depths less than 70 km. You want classify earthquakes based on depth. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so forth, for each earthquake recorded. This example uses earthquake data downloaded from the USGS Earthquakes website. This example shows you how to use the case function in two different ways, to create categories and to create a custom sort order. The word Other displays in the search results for status=406 and status=408. | eval description=case(status = 200, "OK", status =404, "Not found", status = 500, "Internal Server Error", true, "Other") To display a default value when the status does not match one of the values specified, use the literal true. In the above example, the description column is empty for status=406 and status=408. | eval description=case(status = 200, "OK", status =404, "Not found", status = 500, "Internal Server Error") |from my_dataset where sourcetype="access_*" The following example returns descriptions for the corresponding HTTP status code. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands. The function defaults to NULL if none of the arguments are true. When the first expression is encountered that evaluates to TRUE, the corresponding argument is returned. The arguments are Boolean expressions that are evaluated from first to last. This function takes pairs of and arguments and returns the first value for which the condition evaluates to TRUE. This example assumes that you are in the SPL View.The following list contains the functions that you can use to compare values or specify conditional statements.įor information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 evaluation functions. SPL2 Example: Change the value of source_type field These examples assume that you have added the function to your pipeline.ġ. ExamplesĮxamples of common use cases follow. expression Syntax: Description: A combination of values, variables, operators, and functions that will be executed to determine the value to place in your destination field. If the field name already exists in your events, eval overwrites the value. Required arguments field Syntax: Description: A destination field name for the resulting calculated value. Function Output collection> This function outputs the same collection of records but with a different schema S. Function Input/Output Schema Function Input collection> This function takes in collections of records with schema R. However, while the Eval function keeps existing fields and adds new fields for the aliases in the eval, The Select function only includes the fields explicitly specified in the select function.Įval =. The functions are organized into these categories:įor examples of how to use these scalar functions in your Eval function, see the Examples on this page.īoth functions are used to change the fields in the record. There are dozens of scalar functions that you can use in the eval expression. There are many types of expressions you can specify. Most of the time the Eval function is used to create a new top-level field in your data and the values in that new field are the result of an expression. The Eval function processes multiple eval expressions in-order and lets you reference previously evaluated fields in subsequent expressions. You can chain multiple eval expressions in a single Eval function using a comma to separate subsequent expressions. If the field name that you specify matches a field name that already exists in the data stream, the results of the eval expression overwrite the values in that field.If the field name that you specify does not match a field in the data stream, a new top-level field is added to your record.The Eval function calculates an expression and puts the resulting value into the record as a new field. This topic describes how to use the function in the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |