topic Re: If Statement vs SearchMatch in Splunk Search

If Statement vs SearchMatch

IRHM73 — Wed, 16 Mar 2016 14:00:54 GMT

Hi, I wonder whether someone may be able to help me please.

I'm starting to get to grips with the 'If' statements and understand the basics around these. But I'm using an existing query which contains the line as shown below.

I would understand this if it didn't have the 1 at the end of the statement, but I just wondered whether someone could explain what the 1 actually does.

|eval Interstitpage=if('detail.journey'="Interstitial",1, 0 )

In addition could someone tell me please would it more efficient to use the "searchmatch" I've read about, and if, could someone possibly explain I may incorporate it into this example.

Many thanks and kind regards

Chris

Re: If Statement vs SearchMatch

richgalloway — Wed, 16 Mar 2016 14:24:19 GMT

The eval statement is creating a pseudo-boolean variable and setting its value. If the detail.journey field has the value "Interstitial" then Interstitpage is set to 1 to represent 'true'; otherwise it is set to 0 to represent 'false'.
I've not used the searchmatch function in part because it is poorly documented. Chatter about it on Answers, however, indicate including a field name in searchmatch can be problematic.

Re: If Statement vs SearchMatch

IRHM73 — Wed, 16 Mar 2016 14:58:40 GMT

Hi @richgalloway, thank you for taking the time to reply to my post, so in essence it's looking to see if a value exists?

So if I've undertsood it correctly in another example I have here:

eval NewUserOptedOut=if(('detail.digital'="false") AND ('detail.journey'="Interstitial"),1, 0 )

Am I correct in saying that if both "detail.digitial="false AND "detail.journey"=Intersitial" then set the result to "True", if not set to "False"?

Many thanks and kind Regards

Chris

Re: If Statement vs SearchMatch

richgalloway — Wed, 16 Mar 2016 15:06:10 GMT

Yes, you are correct, except that NewUserOptedOut will not be a true Boolean variable. That is, a statement like if (NewUserOptedOut, foo, bar) won't work. It would have to be if (NewUserOptedOut==1, foo, bar).

Re: If Statement vs SearchMatch

IRHM73 — Wed, 16 Mar 2016 15:12:33 GMT

Hi, so it's clearly a little different to where there is only one field i.e. one variable?

Kind Regards

Chris

Re: If Statement vs SearchMatch

richgalloway — Wed, 16 Mar 2016 15:29:09 GMT

I don't understand your question, Chris.

Re: If Statement vs SearchMatch

IRHM73 — Wed, 16 Mar 2016 15:37:04 GMT

Hi, my apologies. I was just a little confused by your reply where you highlighted that "NewUserOptedOut" would not be a true boolean. I guess I put 2 and 2 together and came up with 5.

Is there any chance you could elaborate on your answer please.

Many thanks and kind regards

Chris

Re: If Statement vs SearchMatch

richgalloway — Wed, 16 Mar 2016 18:06:51 GMT

A true Boolean value holds the result of an assertion (a yes/no test). It's actual content is known only to the "operating system". Booleans cannot be used with an [in]equality operator because we don't know what to compare them to.
Many programming languages, like C, don't use true Booleans. They assign numeric values to "true" and "false" which allows for constructs such as 'if foo == 0' (a statement which is true if foo is false).
Before we get too far off-track, the original eval command is converting a Boolean expression ('detail.journey'="Interstitial") into a numeric expression (1 or 0) for some later use. Splunk restricts how Booleans can be used in some commands, but converting the Boolean to an integer removes those restrictions.

Re: If Statement vs SearchMatch

IRHM73 — Thu, 17 Mar 2016 06:13:58 GMT

Hi, thank you for coming back to me with this. This explanation helps a great deal, so thank you for taking the time to put it together.

Kind Regards

Chris