Splunk eval Command: Field Creation, Logic, and Data Transformation

What Is the eval Command?

The eval command creates new fields or modifies existing ones using expressions. It supports mathematical operations, string functions, conditional logic, type conversions, and multivalue operations. It is the Swiss Army knife of SPL — you will use it in nearly every non-trivial search.

Core Syntax

| eval <field_name> = <expression>

Essential eval Functions

Conditional Logic

| eval severity = case(
    risk_score >= 90, "Critical",
    risk_score >= 70, "High",
    risk_score >= 40, "Medium",
    1==1, "Low"
)

| eval is_admin = if(match(user, "^admin"), "Yes", "No")

String Operations

| eval domain = lower(split(email, "@", 2))
| eval short_host = substr(host, 1, 10)
| eval full_name = first_name . " " . last_name

Mathematical Operations

| eval transfer_MB = round(bytes / 1048576, 2)
| eval duration_hours = round(duration / 3600, 1)
| eval risk_weighted = risk_score * asset_priority

Time Functions

| eval event_hour = strftime(_time, "%H")
| eval day_of_week = strftime(_time, "%A")
| eval time_since = now() - _time
| eval human_time = strftime(_time, "%Y-%m-%d %H:%M:%S")

Security Operations Examples

1. Risk Scoring with Weighted Factors

index=notable
| eval risk = case(
    urgency=="critical" AND severity=="high", 100,
    urgency=="high", 75,
    urgency=="medium", 50,
    1==1, 25)
| eval business_impact = risk * case(
    asset_category=="domain_controller", 3,
    asset_category=="database", 2.5,
    asset_category=="workstation", 1,
    1==1, 1)
| sort - business_impact

2. Categorizing Network Traffic

index=network sourcetype=firewall
| eval traffic_type = case(
    dest_port==443 OR dest_port==8443, "HTTPS",
    dest_port==80, "HTTP",
    dest_port==53, "DNS",
    dest_port==22, "SSH",
    dest_port >= 1024 AND dest_port <= 65535, "Ephemeral",
    1==1, "Other")
| stats sum(bytes) AS total_bytes BY traffic_type

3. Login Hour Classification

index=security sourcetype=WinEventLog:Security EventCode=4624
| eval login_hour = tonumber(strftime(_time, "%H"))
| eval time_category = case(
    login_hour >= 6 AND login_hour < 18, "Business Hours",
    login_hour >= 18 AND login_hour < 22, "After Hours",
    1==1, "Overnight")
| stats count BY Account_Name time_category
| where time_category="Overnight" AND count > 5

4. Compliance Status Labeling (NIST 800-53)

| eval compliance_status = case(
    days_since_scan <= 30, "Compliant (RA-5)",
    days_since_scan <= 60, "Warning",
    1==1, "Non-Compliant")
| eval patch_status = if(days_since_patch <= 14, "Current (SI-2)", "Overdue")

Multiple eval Statements

You can chain multiple assignments in a single eval using commas:

| eval transfer_MB = round(bytes / 1048576, 2),
       duration_min = round(duration / 60, 1),
       rate_MBps = round(transfer_MB / (duration / 60), 3)

Best Practices

• Use case() over nested if() — case is more readable for multiple conditions. Always end with 1==1 as a default.
• Alias computed fields clearly — Name fields descriptively: transfer_MB not x.
• Use coalesce() for fallback values — eval user = coalesce(Account_Name, src_user, "unknown").
• Validate types — Use tonumber() and tostring() to avoid type mismatches in comparisons.

Next in the series: The rex command — extracting fields with regular expressions.

---