Splunk

eval command

The eval command can be used with either table data or event data.If used with event data the new field that is created won't be shown, because the event tab only shows the event data as a whole. Duh.

To show the new field that you have created then you will have to use the table command to include that new field.

Important note

If you use eval command with field names that include non-alphanumeric characters, other than '_', you must surround the field with single quotation marks. For example, if you are using 'server-1' field in your eval expression then you must do it like so

eval new=count+'server-1'

Inline eval

If you use inline eval with commands such as stats / chart then you can evaluate new fields using the existing ones, you just need to use the AS to assign it to a new column. As opposite from doing variable=<expression>

Event vs Statistics Tab

If you perform a normal search, the event tab list all the events that are matched with the search query that you have specified. The statistics tab will not display any reporting data since you did not used any reporting commands.

Reporting commands are commands that creates a table: Commands such as stats counttable, or chart.

Reporting (transforming) command

As long as you don't use any transforming commands your results will always be in the Event tab. If you use any transforming command then the data be transformed to numerical values and ordered the results into a data table, which is why your result will show up in the Statistics tab.

Transforming commands are required if you need visualization.

Event data

An event is just the data that is sent by the forwarder and parsed by the indexer. It is associated with a timestamp.

The event can be a simple log, stack trace, or even a JSON payload.