eval

The eval command evaluates the specified expression and appends the result of the evaluation to the search results.

The eval command is not rewritten to query domain-specific language (DSL). It is only executed on the coordinating node.

Syntax

The eval command has the following syntax:

eval <field>=<expression> ["," <field>=<expression> ]...

Parameters

The eval command supports the following parameters.

Example 1: Create a new field

The following query creates a new doubleAge field for each document:

source=accounts
| eval doubleAge = age * 2
| fields age, doubleAge

The query returns the following results:

Example 2: Override an existing field

The following query overrides the age field by adding 1 to its value:

source=accounts
| eval age = age + 1
| fields age

The query returns the following results:

Example 3: Create a new field using a field defined in eval

The following query creates a new field based on another field defined in the same eval expression. In this example, the new ddAge field is calculated by multiplying the doubleAge field by 2. The doubleAge field itself is defined earlier in the eval command:

source=accounts
| eval doubleAge = age * 2, ddAge = doubleAge * 2
| fields age, doubleAge, ddAge

The query returns the following results:

Example 4: String concatenation

The following query uses the + operator for string concatenation. You can concatenate string literals and field values as follows:

source=accounts 
| eval greeting = 'Hello ' + firstname 
| fields firstname, greeting

The query returns the following results:

Example 5: Multiple string concatenation with type casting

The following query performs multiple concatenation operations, including type casting from numeric values to strings:

source=accounts | eval full_info = 'Name: ' + firstname + ', Age: ' + CAST(age AS STRING) | fields firstname, age, full_info

The query returns the following results: