<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: eval if(X,Y,Z) always returns Z whether X matches or not in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413174#M119138</link>
    <description>&lt;P&gt;@cblanton this is a very basic scenario which should work fine. Please try the following run anywhere example. When the Event is set to mock it returns NA. Which is the expected behavior.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults 
| eval Event="mock",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This makes me think maybe the value in Event is not exactly the same as "mock". Does it have leading/trailing whitespace character? Or does it have a different casing?&lt;/P&gt;

&lt;P&gt;Try with &lt;CODE&gt;match()&lt;/CODE&gt; for regular expression case insensitive match instead of exact match &lt;CODE&gt;| eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Following is a run anywhere example to test this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults 
| eval Event=" Mock ",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Thu, 25 Jul 2019 03:35:26 GMT</pubDate>
    <dc:creator>niketn</dc:creator>
    <dc:date>2019-07-25T03:35:26Z</dc:date>
    <item>
      <title>eval if(X,Y,Z) always returns Z whether X matches or not</title>
      <link>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413170#M119134</link>
      <description>&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/ConditionalFunctions#if.28X.2CY.2CZ.29"&gt;https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/ConditionalFunctions#if.28X.2CY.2CZ.29&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;I'm trying to do this exact same thing but my search doesn't seem to recognize when Event="mock". It sets the Z value to MedRepoCloneMergeTime, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not ignoring the eval all together.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;|eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;When X doesn't match, it also returns Z.&lt;/P&gt;</description>
      <pubDate>Wed, 24 Jul 2019 21:55:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413170#M119134</guid>
      <dc:creator>cblanton</dc:creator>
      <dc:date>2019-07-24T21:55:29Z</dc:date>
    </item>
    <item>
      <title>Re: eval if(X,Y,Z) always returns Z whether X matches or not</title>
      <link>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413171#M119135</link>
      <description>&lt;P&gt;Z is the false statement, so its stating that field:"Event" does not match "mock". Try using a like statement &lt;/P&gt;

&lt;P&gt;|eval "newEvent"=if(like(Event, "%mock%"), "true", "false")&lt;/P&gt;</description>
      <pubDate>Wed, 24 Jul 2019 22:11:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413171#M119135</guid>
      <dc:creator>mmqt</dc:creator>
      <dc:date>2019-07-24T22:11:07Z</dc:date>
    </item>
    <item>
      <title>Re: eval if(X,Y,Z) always returns Z whether X matches or not</title>
      <link>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413172#M119136</link>
      <description>&lt;P&gt;That didn't work either.&lt;/P&gt;

&lt;P&gt;MedRepoCloneMergeTime and Event are existing fields. It returns Z even if the eval should be true.&lt;/P&gt;

&lt;P&gt;Event only has 4 options in my data. Even when I add Event="mock" to the search it returns false.&lt;/P&gt;</description>
      <pubDate>Wed, 24 Jul 2019 22:19:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413172#M119136</guid>
      <dc:creator>cblanton</dc:creator>
      <dc:date>2019-07-24T22:19:54Z</dc:date>
    </item>
    <item>
      <title>Re: eval if(X,Y,Z) always returns Z whether X matches or not</title>
      <link>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413173#M119137</link>
      <description>&lt;P&gt;can you share your full search and data sample?&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jul 2019 01:10:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413173#M119137</guid>
      <dc:creator>adonio</dc:creator>
      <dc:date>2019-07-25T01:10:14Z</dc:date>
    </item>
    <item>
      <title>Re: eval if(X,Y,Z) always returns Z whether X matches or not</title>
      <link>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413174#M119138</link>
      <description>&lt;P&gt;@cblanton this is a very basic scenario which should work fine. Please try the following run anywhere example. When the Event is set to mock it returns NA. Which is the expected behavior.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults 
| eval Event="mock",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This makes me think maybe the value in Event is not exactly the same as "mock". Does it have leading/trailing whitespace character? Or does it have a different casing?&lt;/P&gt;

&lt;P&gt;Try with &lt;CODE&gt;match()&lt;/CODE&gt; for regular expression case insensitive match instead of exact match &lt;CODE&gt;| eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Following is a run anywhere example to test this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults 
| eval Event=" Mock ",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 25 Jul 2019 03:35:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413174#M119138</guid>
      <dc:creator>niketn</dc:creator>
      <dc:date>2019-07-25T03:35:26Z</dc:date>
    </item>
    <item>
      <title>Re: eval if(X,Y,Z) always returns Z whether X matches or not</title>
      <link>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413175#M119139</link>
      <description>&lt;P&gt;It depends on what you mean by &lt;CODE&gt;match&lt;/CODE&gt;.   In &lt;CODE&gt;search&lt;/CODE&gt;, &lt;CODE&gt;Event="mock"&lt;/CODE&gt; will be case &lt;CODE&gt;insensitive&lt;/CODE&gt;, but in &lt;CODE&gt;if/where&lt;/CODE&gt;, it will be case &lt;CODE&gt;sensitive&lt;/CODE&gt; to make it the same, do this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;... |eval MedRepoCloneMergeTime=if(match(Event, "^(?i)mock$"), "NA", MedRepoCloneMergeTime)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also, maybe you are assuming that &lt;CODE&gt;Event&lt;/CODE&gt; has your event in it, but it does not, that field is called &lt;CODE&gt;_raw&lt;/CODE&gt; so perhaps what you really need is this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;... |eval MedRepoCloneMergeTime=if(match(_raw, "(?i)mock"), "NA", MedRepoCloneMergeTime)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;It is hard to tell because you did not give us your events.&lt;/P&gt;</description>
      <pubDate>Fri, 26 Jul 2019 19:45:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/eval-if-X-Y-Z-always-returns-Z-whether-X-matches-or-not/m-p/413175#M119139</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2019-07-26T19:45:13Z</dc:date>
    </item>
  </channel>
</rss>

