Skip to content
Observability Stack

eval

Description

Section titled “Description”

The eval command evaluates an expression and appends the result as a new field to each event in the search results. If a field with the same name already exists, its value is overwritten. Use eval whenever you need to derive new values: unit conversions, string manipulation, conditional categorization, date arithmetic, or type casting.

eval supports arithmetic, string, date/time, conditional, and type conversion expressions. It is commonly paired with stats to prepare fields before aggregation or to compute derived metrics after aggregation.

Note: The eval command is executed on the coordinating node and is not pushed down to the OpenSearch query DSL.

Syntax

Section titled “Syntax”
eval <field> = <expression> [, <field> = <expression>]...

Arguments

Section titled “Arguments”
ParameterRequiredDescription
<field>YesThe name of the field to create or update. If the field does not exist, a new field is added. If it already exists, its value is overwritten.
<expression>YesThe expression to evaluate. Supports arithmetic operators (+, -, *, /, %), string functions, date functions, conditional functions (if(), case()), type casts (CAST), and more.

Usage notes

Section titled “Usage notes”

  • Multiple assignments in a single eval: Separate them with commas. This is more efficient than chaining multiple eval commands.

    | eval duration_ms = durationInNanos / 1000000, status_label = if(`status.code` = 0, 'OK', 'Error')

  • Later assignments can reference earlier ones: Within the same eval, a field defined on the left can be used by an expression on the right.

    | eval doubled = value * 2, quadrupled = doubled * 2

  • Overwriting existing fields: If you assign to an existing field name, the original value is replaced for all downstream commands. The original data in the index is not modified.

  • String concatenation: Use the + operator to concatenate strings. When mixing types, cast numeric values to strings first with CAST(field AS STRING).

  • Conditional expressions: Use if(condition, true_value, false_value) for simple two-way branching, or case(condition1, value1, condition2, value2, ... else default) for multi-way branching.

  • Works with all PPL functions: Any function available in PPL (string, math, date, type conversion) can be used in an eval expression.

  • No aggregation functions in eval: Aggregation functions like count() or avg() belong in stats, not eval. Use eval after stats to compute derived metrics from aggregated values.

Basic examples

Section titled “Basic examples”

Arithmetic — convert nanoseconds to milliseconds

Section titled “Arithmetic — convert nanoseconds to milliseconds”
source = otel-v1-apm-span-*
| eval duration_ms = durationInNanos / 1000000

String concatenation

Section titled “String concatenation”
source = logs-otel-v1*
| eval service_severity = `resource.attributes.service.name` + ' - ' + severityText

Try in playground →

Conditional with if()

Section titled “Conditional with if()”
source = logs-otel-v1*
| eval is_error = if(severityText = 'ERROR', 'yes', 'no')

Try in playground →

Multi-way conditional with case()

Section titled “Multi-way conditional with case()”
source = otel-v1-apm-span-*
| eval latency_tier = case(
    durationInNanos < 100000000, 'fast',
    durationInNanos < 500000000, 'moderate',
    durationInNanos < 1000000000, 'slow'
    else 'critical')

Type casting with string concatenation

Section titled “Type casting with string concatenation”
source = otel-v1-apm-span-*
| eval span_info = 'Service: ' + serviceName + ', Duration (ns): ' + CAST(durationInNanos AS STRING)

Extended examples

Section titled “Extended examples”

OTel: Categorize log severity into alert levels

Section titled “OTel: Categorize log severity into alert levels”

Derive an alert_level field from the numeric severity of log events, useful for routing alerts or filtering dashboards.

| eval alert_level = case(
    severityNumber >= 21, 'CRITICAL',
    severityNumber >= 17, 'ERROR',
    severityNumber >= 13, 'WARN',
    severityNumber >= 9,  'INFO'
    else 'DEBUG')
| stats count() as cnt by alert_level, `resource.attributes.service.name`

Try in playground →

OTel: Build a composite service identifier

Section titled “OTel: Build a composite service identifier”

Combine the service name and severity into a single field for downstream grouping or display.

| eval service_status = `resource.attributes.service.name` + ' [' + severityText + ']'
| head 20

Try in playground →

See also

Section titled “See also”
  • stats — aggregate results (often used after eval)
  • fields — select which fields to display
  • where — filter results using expressions
  • sort — order results by computed fields