Usage of Splunk EVAL Function : ABS

       Usage of Splunk EVAL Function :  ABS is as follows :

    This Function takes the "Numeric Value" as an Input and returns its Absolute Value.



Definition :

              How far a number is from zero : -

"6" is 6 away from zero, and "−6" is also 6 away from zero. So the absolute value of 6 is 6, and the absolute value of −6 is also 6

      So in practice "absolute value" means to remove any 
      negative sign in front of a number, and to think of all
     numbers as positive (or zero).

            Find below the skeleton of the usage of the function "abs" with EVAL : 

                       ..... |  eval New_Field=abs(Existing_Numeric_Field)

         index="<Index_Name>"

     | head 5  

     | eval New_Field=-10 

     | eval Result=abs(New_Field) 

     | table New_Field,Result  < enter >

Result :

New_Field	Result
-10	10
-10	10
-10	10
-10	10
-10	10

Explanation :

            In the Query , we are only taking the first 5 rows

            that's why only 5 rows appear with the absolute

            value of a New_Field=-10 , i.e., 10 ( Positive Number )

Now you can effectively utilize "abs" function with "eval" command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function :  ABS

HAPPY SPLUNKING !!