eval( ) Query Function

Creates a new field by evaluating the provided expression. The eval string must always start with an assignment (f=expr…). The result is stored in a field with that name. In an expression, it’s possible to supply names of fields, strings and numbers. The operators available are ==, !=, as well as +, -, *, and /; and parenthesized expressions.

In context of an eval( ) expression — unlike filters — identifiers always denote field values. For example, eval( is_warning= (loglevel==WARN) ) is most likely wrong; you want to write (loglevel=="WARN"). The order of evaluation of arguments is left to right.


Takes no parameters.


Get response size in KB

eval(responsesize = responsesize / 1024)

Add fields together

eval(c = a + b)

Match a field to the timespan. Count should be per minute (not 5 minutes as the bucket span is)

timechart(method, span=5min) | eval(_count=_count/5)