However you can convert booleans and nulls to strings using the tostring() function, which can be assigned to fields. Numbers and strings can be assigned to fields, while booleans cannot be assigned. If the field name that you specify matches an existing field name, the values in the existing field are replaced by the results of the eval expression. You can specify a name for a new field or for an existing field. You must specify a field name for the results that are returned from your eval command expression. The eval command is a distributable streaming command. For example, if the string you want to use is server- you specify the string like this new="server-".host.
* If the expression references a literal string, that string needs to be surrounded by double quotation marks. For example, if the field name is server-1 you specify the field name like this new=count+'server-1'. * If the expression references a field name that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by single quotation marks. * If, at search time, the expression cannot be evaluated successfully for a given event, the eval command erases the resulting field. * The result of an eval expression cannot be a Boolean. The syntax of the eval expression is checked before running the search, and an exception is thrown for an invalid expression. expression Syntax: Description: A combination of values, variables, operators, and functions that will be executed to determine the value to place in your destination field. If the field name already exists in your events, eval overwrites the value. Required arguments field Syntax: Description: A destination field name for the resulting calculated value.
0 kommentar(er)
