Splunk Search

What are the limitations/benefits of using eval inside of stats commands?

ddrillic
Ultra Champion

One of our users is asking the following:

-- What are the limitations/benefits of using the eval command inside of the stats commands?

Tags (3)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @ddrillic,

Using an eval inside a stats commands optimizes your SPL because it allows you to run two commands in one shot.
If you take the example shown here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/Usetheevalcommandandfunctions#Example_1:_U....
You can see | stats count(eval(status="404")) which is the equivalent of first running an eval, finding and tagging all events with stats code 404 THEN running a count on that newly created field. With eval inside the stats it's all done in one shot which is more optimal.

As for the downside, it's only that its pretty limited and you cant use all sorts of evalexpressions inside the stats.

Let me know if that helps.

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @ddrillic,

Using an eval inside a stats commands optimizes your SPL because it allows you to run two commands in one shot.
If you take the example shown here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/Usetheevalcommandandfunctions#Example_1:_U....
You can see | stats count(eval(status="404")) which is the equivalent of first running an eval, finding and tagging all events with stats code 404 THEN running a count on that newly created field. With eval inside the stats it's all done in one shot which is more optimal.

As for the downside, it's only that its pretty limited and you cant use all sorts of evalexpressions inside the stats.

Let me know if that helps.

Cheers,
David

ddrillic
Ultra Champion

Interesting @DavidHourani.

0 Karma

ddrillic
Ultra Champion

The SE added -

-- Yeah not much to add. The difference in practice will be pretty small to be perfectly honest. Same number of events, same number of computations, but doing them together will allow for better threaded-ness and memory efficiency.

0 Karma

ddrillic
Ultra Champion

Our user asked -

-- Thanks, I was curious about the efficiency of the SPL. A lot of times the queries I run hit up against memory limits, so getting more familiar with the memory usage of SPL is getting to be more important for me. I’m pretty familiar with the actual usage/syntax of that, but wasn’t sure about the efficiency.

Following on that, I know | tstats by default does not allow nested eval expressions. Is there another way to get the efficiency benefit of nested evals inside a tstats?

0 Karma

DavidHourani
Super Champion

yeah, true, it can't be used for | tstats but that doesn't mean you can't run statson your tstats results and apply the eval there.

Think of tstats as a way the fetch the initial data just like calling an index, only it's way faster on accelerated data models. Once the data is there you're free to run whatever you like on it.

0 Karma

ddrillic
Ultra Champion

And the SE added -

-- There is no way to combine tstats with eval.

tstats is used to reference either a datamodel or the index metadata. If it’s a datamodel it may be worth adding the eval’d field to the datamodel if this is an important usecase.

0 Karma

DavidHourani
Super Champion

Exactly, and remember the lower the cardinality of your fields in the data model, the faster it will run when you accelerate it 🙂

0 Karma

DavidHourani
Super Champion

@ddrillic, can you please accept the answer if it was helpful ? 🙂

0 Karma

ddrillic
Ultra Champion

Sure thing @DavidHourani - thank you as always for your insights and positive energy.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...