Use stats with eval expressions and functions

You can embed eval expressions and functions within any of the stats functions. This is a shorthand method for creating a search without using the eval command separately from the stats command. For example, the following search uses the eval command to filter for a specific error code. Then the stats function is used to count the distinct IP addresses.status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)As an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. For example:status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errorsUse eval expressions to count the different types of requests against each Web serverThis example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into S...