https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446688#M77697 <P>@ShagVT ,</P> <P>Add ' to the fieldname to make it as literal and then do the comparison.</P> <P>Try</P> <PRE><CODE>sourcetype=newformat | eval blocked =if ('a.b.fieldname'=="BLOCKED", 1,0) </CODE></PRE> <P>Or <BR /> Rename the field and compare</P> <PRE><CODE>sourcetype=newformat|rename a.b.fieldname as fieldname |eval blocked =if (fieldname =="BLOCKED", 1,0) </CODE></PRE> Fri, 14 Dec 2018 02:40:40 GMT renjith_nair 2018-12-14T02:40:40Z https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446686#M77695 <P>I have some data which is changing from a delimited format to JSON. In a dashboard, I have a query that for the old format would do this:</P> <P><STRONG>sourcetype=oldformat | eval blocked = if(fieldname=="BLOCKED",1,0)</STRONG><BR /> However, trying this against the JSON it doesn't work right.</P> <P><STRONG>sourcetype=newformat | eval blocked =if (a.b.fieldname=="BLOCKED", 1,0)</STRONG><BR /> But this doesn't seem to work ... all records evaluate to 0. I test this out, I ran the following, which was just bizarre:</P> <P><STRONG>sourcetype=newformat a.b.fieldname="BLOCKED" | eval blocked =if (a.b.fieldname=="BLOCKED", 1,0) | chart count by a.b.fieldname, blocked</STRONG><BR /> The result table looked like this:<BR /> <PRE><BR /> a.b.fieldname 0<BR /> BLOCKED 45<BR /> </PRE></P> <P>So it was able to search by the field name (it found only the correct records out of millions) and it shows the correct value (BLOCKED) ... but the if statement that works fine when not looking at JSON seems to be broken with the JSON.</P> <P>Any ideas?</P> Thu, 13 Dec 2018 21:26:48 GMT https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446686#M77695 ShagVT 2018-12-13T21:26:48Z https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446687#M77696 <P>did you see a.b.fieldname as a interesting field in your JSON data..??<BR /> can you post a sample of you json data..??</P> Fri, 14 Dec 2018 02:38:44 GMT https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446687#M77696 prakash007 2018-12-14T02:38:44Z https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446688#M77697 <P>@ShagVT ,</P> <P>Add ' to the fieldname to make it as literal and then do the comparison.</P> <P>Try</P> <PRE><CODE>sourcetype=newformat | eval blocked =if ('a.b.fieldname'=="BLOCKED", 1,0) </CODE></PRE> <P>Or <BR /> Rename the field and compare</P> <PRE><CODE>sourcetype=newformat|rename a.b.fieldname as fieldname |eval blocked =if (fieldname =="BLOCKED", 1,0) </CODE></PRE> Fri, 14 Dec 2018 02:40:40 GMT https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446688#M77697 renjith_nair 2018-12-14T02:40:40Z https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446689#M77698 <P>Both of these ideas were successful. <STRONG>THANK YOU!</STRONG></P> <P>So is this basically a bug in Splunk's evaluation of conditional functions?</P> Fri, 14 Dec 2018 13:53:41 GMT https://community.splunk.com/t5/Getting-Data-In/In-a-dashboard-query-how-do-you-use-a-JSON-field-in-an-if/m-p/446689#M77698 ShagVT 2018-12-14T13:53:41Z