topic Re: EVAL for ELSE IF condition in Splunk Search

EVAL for ELSE IF condition

davidcraven02 — Tue, 09 Jan 2018 15:31:53 GMT

My logic for my field "Action" is below, but because there is different else conditions I cannot write an eval do achieve the below.

if (Location="Varonis" AND (like(Path,"%Hosting%")
then Status=Action Required

else if(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus=null )
then Status=Action Required

else if(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus=null )
then Status=Action Required

Re: EVAL for ELSE IF condition

micahkemp — Tue, 09 Jan 2018 15:44:03 GMT

Consider the case function.

Example from the doc:

eval description=case(error ==404, "Not found", error == 500,
"Internal Server Error", error == 200, "OK")

Though your example looks like it could be done in a single if, using OR to join the clauses since they all have the same return value of Action Required.

Re: EVAL for ELSE IF condition

nickhills — Tue, 09 Jan 2018 15:46:44 GMT

The last two statements look identical, so assuming there are 3 statements:

Maybe case would be more useful:

...|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required",(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")

Re: EVAL for ELSE IF condition

mayurr98 — Tue, 09 Jan 2018 15:58:05 GMT

hey try this

 <your_base_query> 
| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null")),"Action Required",(Location="Varonis" AND (DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required","Action NOT Required")

I hope this helps you!

Re: EVAL for ELSE IF condition

493669 — Tue, 09 Jan 2018 16:27:40 GMT

can you try below:

...| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null" OR DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required",1=1,"Action NOT Required")

I have combined two conditions

Re: EVAL for ELSE IF condition

davidcraven02 — Tue, 09 Jan 2018 16:37:09 GMT

Thank you , this mostly works, the only issue is that for NULL values in DayBackUpStatus that exist within Varonis are not getting picked up as action required.

Re: EVAL for ELSE IF condition

mayurr98 — Tue, 09 Jan 2018 16:45:21 GMT

hey @davidcraven02
you need to put null in "null" in order to make it work.
try my search!

Re: EVAL for ELSE IF condition

nickhills — Tue, 09 Jan 2018 17:02:24 GMT

sorry sloppy copy and paste on my part.
null should be double quoted - or you could use isnull()

Re: EVAL for ELSE IF condition

davidcraven02 — Tue, 09 Jan 2018 19:22:22 GMT

This didnt work, the query below his doesnt pick up null values and when I use isnull() it makes all the status column equal 'Action Required' for all

|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",
(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required", (Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")

Re: EVAL for ELSE IF condition

nickhills — Tue, 09 Jan 2018 19:36:25 GMT

do the fields contain the word null, or are they empty?

if empty, could you try MonitoringStatus!=*

Re: EVAL for ELSE IF condition

aniketsamudra — Thu, 15 Feb 2024 10:41:45 GMT

Having a similar issue,

| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403"),(like('thrown.extendedStackTrace',"%404%"),"404"),"###ERROR####")

But getting error as -->

Error in 'EvalCommand': The expression is malformed. Expected ).

Re: EVAL for ELSE IF condition

ITWhisperer — Thu, 15 Feb 2024 12:08:04 GMT

Brackets in the wrong place and it looks like the else part of the first if should start with another if

| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403", if(like('thrown.extendedStackTrace',"%404%"),"404","###ERROR####"))

Re: EVAL for ELSE IF condition

aniketsamudra — Fri, 16 Feb 2024 03:17:40 GMT

Nope!

Getting error as

Error in 'EvalCommand': The expression is malformed. Expected ).

Re: EVAL for ELSE IF condition

scelikok — Fri, 16 Feb 2024 03:27:53 GMT

Hi @aniketsamudra

You should use case statement like below;

| eval Test=case(like('thrown.extendedStackTrace',"%403%"),"403", like('thrown.extendedStackTrace',"%404%"),"404",1=1,"###ERROR####")

Re: EVAL for ELSE IF condition

aniketsamudra — Fri, 16 Feb 2024 03:31:03 GMT

Got it resolved.. corrected one bracket

Thank You so much for the pointer on 'if' required everytime