You're reading from Data Analytics Using Splunk 9.x A practical guide to implementing Splunk's features for performing data analysis at scale

Product type Paperback

Published in Jan 2023

Publisher Packt

ISBN-13 9781803249414

Length 336 pages

Edition 1st Edition

Tools

Splunk

Concepts

Data Analysis

Author (1):

Dr. Nadine Shillingford

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Getting Started with Splunk

2. Chapter 1: Introduction to Splunk and its Core Components FREE CHAPTER

3. Chapter 2: Setting Up the Splunk Environment

4. Chapter 3: Onboarding and Normalizing Data

5. Part 2: Visualizing Data with Splunk

6. Chapter 4: Introduction to SPL

7. Chapter 5: Reporting Commands, Lookups, and Macros

8. Chapter 6: Creating Tables and Charts Using SPL

9. Chapter 7: Creating Dynamic Dashboards

10. Part 3: Advanced Topics in Splunk

11. Chapter 8: Licensing, Indexing, and Buckets

12. Chapter 9: Clustering and Advanced Administration

13. Chapter 10: Data Models, Acceleration, and Other Ways to Improve Performance

14. Chapter 11: Multisite Splunk Deployments and Federated Search

15. Chapter 12: Container Management

16. Index

Why subscribe?

17. Other Books You May Enjoy

Formatting and transforming data

In this section, we will look at some commands that can be added to the basic queries that we wrote in the previous section. To use these commands, we can add a pipe symbol and follow it with the new command.

The first command we will look at is the eval command. The eval command is one of the most important formatting commands in Splunk. This command allows us to perform calculations and either change the value of fields or create new fields. The form of the eval command is as follows:

…| eval <field>=<expression>, [<field>=<expression>]

Note that we use the pipe symbol in this search. The left-hand side of the pipe symbol passes results to the eval statement. If the field specified in eval exists, then the value of the field is replaced. If not, Splunk creates a new field. Note that this new field is not persistent – that is, it only exists for the duration of the search. Using eval does not change the...