The Eval Function

Description

The Eval Function is one of the most powerful Stream Functions. Using this Function, you can add, remove, and manipulate events in the Pipeline. You can review these Cribl resources to learn more about using Eval:

The parseWinEvent Expression

Stream provides many powerful Text Functions. The C.Text.parseWinEvent Function parses an XML string representing a Windows event into a compact, prettified JSON object. This Function can also exclude things such as null values. In this example, fields with values of -, 0x0, and 0** are removed from the event. The Eval Function should look like this:

eval1

Steps – Adding an Eval Function

important

Add Eval
In the XML Pipeline:

Select Add Function, search for Eval, and select it to add this Function to the Pipeline.
In the Evaluate Fields section, select Add Field.
in the Name column, add _raw.
Add the following to the Value Expression column:
```
C.Text.parseWinEvent(_raw,['-','0x0','0'])
```
Select Save.
In the right Preview Simple pane, find a green + _raw event, and click [+] at several levels to expand the whole event.

Results

The XML events on the right side have been parsed into Structured JSON objects, which are now much easier to read.

eval2

Examining Event Reduction Statistics

Hover over an event in the right pane, and select the statistics icon at the event's top-right corner.

eval3

A table will pop up. In the _raw Length column, you should see that the _raw event has been reduced at least 51% in size:

eval4

Basic Statistics

Finally, if you select the Basic Statistics icon at the top of the captured events, you can view the reduction across the entire sample.

eval6

Description​

The parseWinEvent Expression​

Steps – Adding an Eval Function​

Results​

Examining Event Reduction Statistics​

Basic Statistics​