Hello! Welcome to the Comparing Values learning module. I'm Jessica with Splunk Education. In this module, you will learn how to compare values in your data using conditional statements and commands. We'll begin with the eval command. The eval command calculates an expression, then puts the resulting value into a new or existing field, which can be reused in the search pipeline. Now, if we are using eval with a field that already exists, the eval command will overwrite the values of the field with the results of the eval expression. This is done at search time, not changing or overwriting any of the already indexed data. If we are creating a new field with the eval command, it will take the values of the expressions. But again, no new data is written into the index as the eval command operates at search time. Now, the eval command supports various operators that can be used in the expressions ranging from arithmetic operators, comparison operators to concatenation operators. There are two types of concatenation operators, as we see here. The plus operator and the period operator. The plus operator accepts two numbers for addition or two strings for concatenation. The period operator concatenates both strings and numbers. Numbers are concatenated in their string representative form. Now, the eval command treats string values in a certain way where the syntax needs to be specific. So if we take a look at an example here and we run a search across our retail sales data and we're looking at the retail sales of the United States. I'm going to run this search across the last 24 hours. And what you'll notice here is we have our price field in the sidebar. We would like to compute a sum of our price per state and display that information in a table. I'm going to pipe to the stats command, sum up the price field, name that "sales", and split by VendorStateProvince. That will take me over into a two column table. And I'm going to create a brand new field using the eval command called Performance. This is not a preexisting field. I'm creating a brand new field and setting that equal to the case function, which is going to take a Boolean expression that returns to true or false as the first argument. So what it will evaluate for is whether the value of sales is less than or equal to five hundred. The field of performance will be equal to a value of "Needs immediate evaluation". Field values that are created using the eval command are treated in a case sensitive manner. So "Needs immediate evaluation" can be one of the possible values. Now, another Boolean argument that we can pass in is whether the sales value is less than one thousand. In this case, Performance will be equal to a value of "Underperformer". If sales is greater than or equal to 1000, it will take a value of "Overperformer". And we will run this search and see Performance added as a column to our table, depending on what the value of sales is in that specific event. Now, field names must be unquoted or single quoted when they include a special character like a space. So we can see that when we're using these field names in the eval command, such as sales, it is unquoted. And I can go ahead and create one more field here with the eval command. By either changing an expression with a comma or by piping to a completely separate eval command, creating this field of Verdict, setting that equal to the if function, and saying if Performance has a value in this list of "Underperformer", it needs immediate evaluation. Then we are going to set Verdict to "Send to marketing" or take the value of "null". All right, we'll run that search. Verdict will be added as a column to the table and we can see the empty cells are null values. And then lastly, we are going to add a dollar sign in front of these sales values because they represent monetary values. I will set Sales equal to concatenating a dollar sign to the front, converting Sales to a string, adding commas where necessary. One thing about concatenation with the eval command is to use a period instead of a plus symbol when concatenating strings in numbers to avoid conflicts. Now, there are multiple different ways to write eval expressions. We can pipe to separate eval commands, which adds more lines to your SPL. We can include the function and the expression as an argument to that function, containing everything within one single line in one eval command. Or we can comma separate the two eval expressions all within one single eval command. This showing that evals can be separate, they can be nested, or linked with a comma, all resulting in the same table. Now, if we create temporary fields using eval such as the bandwidth field, those can be referenced in the search pipeline by any commands following that. We can sort the values in descending order, for example, and rename them. They will be treated just like any other field.
