Using the eval command and functions
The eval command is intended to override values in fields. Can use mathematical operations, string concatenation, comparison expressions, Boolean expressions, functions.
eval uses data types:
StringNumericBooleansNull
The eval command requires that the field values correspond to the operation type and seeks to preserve the original data type in the resulting value. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numeric. When concatenating values with a dot ., the eval command defines both values as String, regardless of their actual type.
The eval command can work with conditional operators.
In the if and case constructs in the body of the condition, you can use comparison functions (in, like, isnull, isnotnull, etc.) and simple logical expressions.
String concatenation
The query will create a new field destination.geo.location based on the pattern destination.geo.city_name/destination.geo.continent_name.
source sm_cs_threat_indexes
| eval destination.geo.location=destination.geo.continent_name + "/" + destination.geo.city_name
| table destination.geo.location, destination.geo.continent_name, destination.geo.city_name
Creating a new field from a service field
The query will output several fields in a table and a new field Index ID. The value of the Index name field will be assigned from the index service field.
source sm_cs_auth_indexes
| table destination.address, destination.ip, source.ip, event.action
| eval index_name = _index
| rename destination.address as "Target server address", destination.ip as "Target server IP", source.ip as "Source IP", event.action as "Event", index_name as "Index ID"
Using conditional statements if, case
In the query, the eval command will create a new field event.log.out and assign it the value Exit if the value of the event.action field is logged-out, otherwise it will be assigned the value -.
source sm_cs_auth_indexes
| table destination.address, destination.ip, source.ip, event.action
| eval event.log.out = if(event.action == "logged-out", "Exit", "-")
| rename destination.address as "Destination Server Address", destination.ip as "Destination Server IP", source.ip as "Source IP", event.action as "Event", event.log.out as "Result"
In the query, the case command will compare three values in the event.action field. If you use the name of an already existing field, its value will be overwritten with the results of eval.
source sm_cs_auth_indexes
| table destination.address, destination.ip, source.ip, event.action
| eval event.log.out=case(event.action == "logged-out", "Exit", event.action == "logged-in", "Input", event.action == "kerberos-authentication-ticket-requested", "kerberos")
| rename destination.address as "Destination Server Address", destination.ip as "Destination Server IP", source.ip as "Source IP", event.action as "Event", event.log.out as "Result"
Using boolean expressions
The query uses a combination of the conditional operator if and the logical expression or.
source sm_cs_auth_indexes
| table destination.address, destination.ip, source.ip, event.action
| eval event.log.out = if(event.action == "logged-out" or event.action == "logged-in" , "Login/Exit", "Kerberos")
| rename destination.address as "Destination Server Address", destination.ip as "Destination Server IP", source.ip as "Source IP", event.action as "Event", event.log.out as "Result"
Using the like command
The query checks whether the value of the first argument matches the pattern specified in the second argument. If the value of the event.action field matches the pattern %logged%, the field event.log.out is assigned the value Login/Exit; otherwise, it is assigned Kerberos.
source sm_cs_auth_indexes
| table destination.address, destination.ip, source.ip, event.action
| eval event.log.out = if(like(event.action,"%logged%"), "Login/Exit", "Kerberos")
| rename destination.address as "Destination Server Address", destination.ip as "Destination Server IP", source.ip as "Source IP", event.action as "Event", event.log.out as "Result"
Mathematical and statistical operations
This example will show the total cost of the order for each user.
source food_orders
| stats latest(total_price) as "total_price_USD" by user_id
| rename user_id as "User ID"
This example will convert the field total_price_USD to total_price_eur (will convert the price from usd to eur), and with the help of the round command, round it to two decimal places.
source food_orders
| stats latest(total_price) as total_price_usd by user_id
| eval total_price_eur = round((total_price_usd * 1.09),2)
| table total_price_usd, total_price_eur, user_id
| rename total_price_usd as "Final price USD", total_price_eur as "Final price EUR", user_id as "User ID"
Working with text values
The query will convert the contents of the snyk.vulnerabilities.credit field to uppercase.
source sm_cs_vulnerability_indexes
| table snyk.vulnerabilities.cvss3, snyk.vulnerabilities.identifiers.alternative, snyk.vulnerabilities.credit
| eval snyk.vulnerabilities.credit_upper = upper(snyk.vulnerabilities.credit)
The trim command allows removing a substring from a field's value according to a pattern. The following query will add a new field snyk_trim and assign it the value of the snyk.vulnerabilities.identifiers.alternative field with the substring SNYK- removed.
source sm_cs_vulnerability_indexes
| table snyk.vulnerabilities.credit, snyk.vulnerabilities.credit, snyk.vulnerabilities.identifiers.alternative
| eval snyk.vulnerabilities.credit_upper = upper(snyk.vulnerabilities.credit)
| eval snyk_trim = trim(snyk.vulnerabilities.identifiers.alternative, "SNYK-")
The replace command will replace the value of the snyk_trim field with the second and third matched groups in the regular expression, i.e., the text after the first -.
source sm_cs_vulnerability_indexes
| table snyk.vulnerabilities.credit, snyk.vulnerabilities.credit, snyk.vulnerabilities.identifiers.alternative
| eval snyk.vulnerabilities.credit_upper = upper(snyk.vulnerabilities.credit)
| eval snyk_trim = trim(snyk.vulnerabilities.identifiers.alternative, "SNYK-")
| eval snyk_replace = replace(snyk_trim, "(\w+)\-(\w+)\-(\w+)", "$2-$3")
