Eval Functions

eval assignments can call the functions below. They run per event on the current JSON payload. For where eval sits in a pipeline (vs parse_*, rename, …), see Expressions. Full language semantics: Reference.

Also useful: PDL Quick Reference

---

Basic field expressions

Arithmetic uses normal operator precedence; wrap sub-expressions in parentheses when unclear.

| eval myfield=field1 + field2
| eval myfield=field1 - field2
| eval myfield=field1 * field2
| eval myfield=field1 / field2

---

Conditional expressions

if

Evaluates a Boolean condition and returns one of two values (types should be compatible with how you use the result).

| eval myfield=if(condition, trueValue, falseValue)

Example:

| eval myfield=if(field1 > 100, "high", "low")

isnull

Returns whether a field is missing or null-like.

| eval myfield=isnull(field1)

---

Conversion functions

to_string / to_number / to_boolean / to_array / to_json

Coerce JSON types for comparisons, concatenation, or downstream parsers.

| eval myfield=to_string(field1)
| eval myfield=to_number(field1)
| eval myfield=to_boolean(field1)
| eval myfield=to_array(field1)
| eval myfield=to_json(field1)

convert — CEF / LEEF

Serialises the whole event (or a configured projection) into CEF or LEEF text, usually assigned to a new field for syslog-style sinks.

CEF

If present, these fields feed the CEF header: deviceVendor, deviceProduct, deviceVersion, deviceEventClassId, name, severity.

| eval deviceVendor="Some Vendor", deviceProduct="Some Product" ... | eval cefOutput = convert(cef)
| eval cefOutput = convert(cef, exclude=[password, rawPayload])

LEEF

Header-related fields include leefVersion, deviceVendor, deviceProduct, deviceVersion, deviceEventClassId.

| eval leefOutput = convert(leef)
| eval leefOutput = convert(leef, include=[user, srcIp, dstIp, action])

Notes

• Use include / exclude lists to trim sensitive keys.
• Default LEEF delimiter is often ^ (see your engine defaults).
• CamelCase names in snippets are illustrative; match your schema conventions.

---

String manipulation

lower / upper

Normalise case before comparisons or joins.

| eval myfield=lower(field1)
| eval myfield=upper(field1)

---

Nested expressions

Compose helpers freely; inner calls are evaluated first.

| eval myfield=to_string(isnull(field1))
| eval myfield=lower(to_string(field1))
| eval myfield=if(isnull(field1), "missing", to_string(field1))

---

Examples

Basic arithmetic

| eval result=field1 + field2

Input:

{
  "field1": 10,
  "field2": 20
}

Result:

{
  "field1": 10,
  "field2": 20,
  "result": 30
}

Conditional with type coercion

| eval result=if(isnull(field1), "missing", to_string(field1))

Input:

{
  "field1": 42
}

Result:

{
  "field1": 42,
  "result": "42"
}

String manipulation

| eval result=upper(to_string(field1))

Input:

{
  "field1": 42
}

Result:

{
  "field1": 42,
  "result": "42"
}

---

Usage notes

• Nesting is allowed wherever the inner expression returns the type the outer function expects.
• if conditions often combine isnull, comparisons, and to_boolean.
• Conversions return null when the value cannot be coerced — guard with if / coalesce where needed.
• upper / lower on non-strings may pass through or null out depending on version; normalise with to_string first when unsure.
• Multiple assignments in one eval are separated by commas.