The Alchemist's Lab • Room 1

Advanced Eval

The **eval** command calculates an expression and puts the resulting value into a new (or existing) field.

Use `if(X, Y, Z)` to evaluate: If X is TRUE, return Y. Otherwise, return Z.

Use `case(X1, Y1, X2, Y2, ...)` to evaluate multiple conditions left to right and return the Y value of the first TRUE condition.

Conditional Eval

| eval status_group=case(status>=200 AND status<300, "Success", status>=500, "Server Error")

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write an eval statement to create a field "risk" which is "High" if count > 100, and "Low" otherwise.

Splunk Search Bar