Skip to main content
Version: Development

Eval Functions

Basic Field Expressions

Field expressions can use arithmetic operators to compute values:

| eval myfield=field1 + field2
| eval myfield=field1 - field2
| eval myfield=field1 * field2
| eval myfield=field1 / field2

Conditional Expressions

if

The if function evaluates a condition and returns one of two values:

| eval myfield=if(condition, trueValue, falseValue)

Example:

| eval myfield=if(field1 > 100, "high", "low")

isnull

Checks if a field is null or undefined:

| eval myfield=isnull(field1)

Conversion Functions

to_string

Converts a value to string type:

| eval myfield=to_string(field1)

to_number

Converts a value to numeric type:

| eval myfield=to_number(field1)

to_boolean

Converts a value to boolean type:

| eval myfield=to_boolean(field1)

to_array

Converts a value to array type:

| eval myfield=to_array(field1)

to_json

Converts a parseable string value to JSON type:

| eval myfield=to_json(field1)

convert

Converts data between different formats. Supports conversion to CEF and LEEF formats.

CEF Conversion

Converts the entire event to CEF format. If the following fields exist in the event, they are automatically added to the CEF header:

  • deviceVendor
  • deviceProduct
  • deviceVersion
  • deviceEventClassId
  • name
  • severity
| eval deviceVendor="Some Vendor", deviceProduct="Some Product" ... | eval cefOutput = convert(cef)
| eval cefOutput = convert(cef, exclude=[password, rawPayload])

LEEF Conversion

Converts the entire event to LEEF format. If the following fields exist in the event, they are automatically added to the LEEF header:

  • leefVersion
  • deviceVendor
  • deviceProduct
  • deviceVersion
  • deviceEventClassId
| eval leefOutput = convert(leef)
| eval leefOutput = convert(leef, include=[user, srcIp, dstIp, action])

Notes:

  • For CEF and LEEF conversions, you can specify which fields to include or exclude
  • The default delimiter character for LEEF is ^
  • The conversion assumes the entire event and assigns its converted value to the specified field
  • Field names in the examples use camelCase for better readability

String Manipulation Functions

lower

Converts a string to lowercase:

| eval myfield=lower(field1)

upper

Converts a string to uppercase:

| eval myfield=upper(field1)

Nested Expressions

Functions can be nested within each other. For example:

| eval myfield=to_string(isnull(field1))
| eval myfield=lower(to_string(field1))
| eval myfield=if(isnull(field1), "missing", to_string(field1))

Examples

Basic Arithmetic

| eval result=field1 + field2

Input:

{
  "field1": 10,
  "field2": 20
}

Result:

{
  "field1": 10,
  "field2": 20,
  "result": 30
}

Conditional with Type Conversion

| eval result=if(isnull(field1), "missing", to_string(field1))

Input:

{
  "field1": 42
}

Result:

{
  "field1": 42,
  "result": "42"
}

String Manipulation

| eval result=upper(to_string(field1))

Input:

{
  "field1": 42
}

Result:

{
  "field1": 42,
  "result": "42"
}

Usage Notes

  • All functions can be nested within each other
  • The if function can use isnull or to_boolean as its condition
  • Type conversion functions will return null if the conversion is not possible
  • String manipulation functions will return the original value if the input is not a string
  • Multiple field assignments can be combined using commas