topic Re: Need help with eval and if then statement - showing errors. in Splunk Search

Need help with eval and if then statement - showing errors.

UMDTERPS — Tue, 29 Jan 2019 17:38:15 GMT

| inputlookup list.csv 
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix  + newnorton  + newmcafee

The above search works and returns all of the columns needed and adds the correct numbers to the columns.

However, I am trying run an eval and if then statement after the above search as follows:

| inputlookup list.csv 
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix  + newnorton  + newmcafee
| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")

The above search fails with the following error:

Error in 'eval' command: Fields cannot
be assigned a boolean result. Instead,
try if([bool expr], [expr], [expr]).
The search job has failed due to an
error. You may be able view the job in
the Job Inspector.

If I run just the search:

|search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model

It runs just fine.

Any ideas why the | eval search1 = if is not working?

Re: Need help with eval and if then statement - showing errors.

adonio — Thu, 31 Jan 2019 18:55:49 GMT

try this:

| where index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model

Re: Need help with eval and if then statement - showing errors.

vishaltaneja070 — Tue, 29 Sep 2020 23:03:17 GMT

Re: Need help with eval and if then statement - showing errors.

UMDTERPS — Fri, 01 Feb 2019 14:07:01 GMT

Hello!

For this search we are using a lookuptable (CSV), so | inputlookup list.csv needs to be there.

For further clarification the eval statement below:

| eval newbigfix=if(bigfix = 1,1,0)

What this statement is saying is that if the ip has a 1 in the bigfix field we assign it a 1, if it doesn't -it assigns it a 0 (because it doesn't have big fix). The number it gets assigned goes into the "newbigfix" field.

The above is that same for all 3 eval statements. Once the "New" score is assigned for a given IP, I do an eval to add up all of the numbers and place the number in a new field called "search score":

| eval search_score = newbigfix + newnorton + newmcafee

In order to return the correct fields, I use another eval statement "search1" to return fields based on the "search_score"

| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")

Re: Need help with eval and if then statement - showing errors.

woodcock — Fri, 01 Feb 2019 17:39:58 GMT

Give me a mockup of what you expect search1 to contain at the end.

Re: Need help with eval and if then statement - showing errors.

UMDTERPS — Tue, 29 Sep 2020 23:09:14 GMT

We have 4 fields in the | inputlookup list.csv as follows:

ip                 bigfix       norton      mcafee 
198.168.1.25       1          0                 0

1. | inputlookup list.csv 
2. | eval newbigfix=if(bigfix = 1,1,0)
3. | eval newnorton=if(norton = 1,3,0)
4. | eval newmcafee=if(mcafee = 1,6,0)
5. | eval search_score = newbigfix + newnorton + newmcafee

The if then eval statements looks at the fields to see if there is a 0 or 1 in each of the agent fields and then creates a new column called “search_score” by adding all of the numbers agent field numbers together and assigns a score:

ip                bigfix        norton      mcafee     search_score
198.168.1.25       1           0                      0     1

For example, in the case of 198.168.1.25, the if than statement sees that there is a 1 for bigfix and a 0 for norton and mcafee. The final eval statement will add all of the scores together and assign a score. In this case, because 198.168.1.25 only has a 1 for bigfix and 0 for norton and mcafee, it will be assigned a 1 for the newly created "search_score" field.

| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")

In regards to your question, “search1" looks to see which ips have a search score equal to 1, because we know that having a search_score equal to 1 can only mean the ip has a 1 for big fix. search1 will return the following fields from bigfix- IPAddress, CompName, MAC , OS, Manufacturer, Model. If the ip has a search_score of 4, we know the ip has bigfix and norton, search1 will return fields from bigfix and norton. I chose just to use bigfix in search1 as an example to make it less complicated to explain for help.

Does that help in better understanding of what search 1 is suppose to do?

Re: Need help with eval and if then statement - showing errors.

UMDTERPS — Wed, 06 Feb 2019 15:48:53 GMT

Error in 'makeresults' command: This
command must be the first command of a
search. The search job has failed due
to an error. You may be able view the
job in the Job Inspector.

Re: Need help with eval and if then statement - showing errors.

woodcock — Fri, 08 Feb 2019 20:05:38 GMT

I know that you are trying but it still makes absolutely no sense to me at all. Let's go back around again. Show me 5 lines of what the output is after the | eval search_score = newbigfix + newnortn + newmcafee line executes. Then DO NOT SHOW ANY MORE SPL. Just show me how you would like those 5 lines transformed for your final result.

Re: Need help with eval and if then statement - showing errors.

woodcock — Tue, 12 Feb 2019 06:23:13 GMT

Maybe this?

index="bigfix"
[|inputlookup list.csv 
| eval search_score = if(bigfix = 1,1,0) + if(norton = 1,3,0) + if(mcafee = 1,6,0)
| where search_score==1
| rename ip AS IPAddress
| table IPAddress]
| table IPAddress, CompName, MAC , OS, Manufacturer, Model