https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619043#M215148 <BLOCKQUOTE><HR />Field name should be in double quotes.<HR /></BLOCKQUOTE><P>Field name should not be in double quotes. &nbsp;Double quote encloses literal strings in SPL. &nbsp;Single quotes enclose field names.</P> Tue, 01 Nov 2022 04:59:10 GMT yuanliu 2022-11-01T04:59:10Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619036#M215143 <P>Hi,</P> <P>I wrote a eval command and its not working. Kindly help.</P> <P>source = "2access_30DAY.log" | eval "new_field" = case('status'=200, 'Suman and Cloeh are best couple') | table "status" "new_field"</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eval1.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22251i208496116F3D16B5/image-size/large?v=v2&amp;px=999" role="button" title="eval1.png" alt="eval1.png" /></span></P> <P>Regards</P> <P>Suman P.</P> Tue, 01 Nov 2022 04:19:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619036#M215143 SumanPalisetty 2022-11-01T04:19:31Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619038#M215145 <P>&nbsp;</P><LI-CODE lang="markup">source = "2access_30DAY.log" | eval "new_field" = case('status'==200, "Suman and Cloeh are best couple") | table "status" "new_field"</LI-CODE><P>&nbsp;</P> Tue, 01 Nov 2022 04:21:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619038#M215145 yuanliu 2022-11-01T04:21:15Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619041#M215146 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;but I have a question please. Field name should be in double quotes. so, shouldn't status be in double quotes? Why is it giving me an error when I use it?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eval2.png" style="width: 857px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22253i2976D5DD0C5BC361/image-size/large?v=v2&amp;px=999" role="button" title="eval2.png" alt="eval2.png" /></span></P><P>Regards</P><P>Suman P.</P> Tue, 01 Nov 2022 04:51:45 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619041#M215146 SumanPalisetty 2022-11-01T04:51:45Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619043#M215148 <BLOCKQUOTE><HR />Field name should be in double quotes.<HR /></BLOCKQUOTE><P>Field name should not be in double quotes. &nbsp;Double quote encloses literal strings in SPL. &nbsp;Single quotes enclose field names.</P> Tue, 01 Nov 2022 04:59:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619043#M215148 yuanliu 2022-11-01T04:59:10Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619044#M215149 <P>Which means that my initial reply copied the original code too much.</P><LI-CODE lang="markup">source = "2access_30DAY.log" | eval "new_field" = case('status'==200, "Suman and Cloeh are best couple") | table status new_field</LI-CODE><P>(When there is no ambiguity as to where the field name ends, i.e., no space or special characters in field name, you can skip single quotes.)&nbsp;</P> Tue, 01 Nov 2022 05:02:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619044#M215149 yuanliu 2022-11-01T05:02:02Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619045#M215150 <BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;wrote:<BR /><BLOCKQUOTE><HR />Field name should be in double quotes.<HR /></BLOCKQUOTE><P>Field name should not be in double quotes. &nbsp;Double quote encloses literal strings in SPL. &nbsp;Single quotes enclose field names.</P><HR /></BLOCKQUOTE><P>Correction. &nbsp;Single quotes dereferences a field, i.e., points to a value. &nbsp;When you compare with a number literal (200), you need a numerical value to compare, not a string.</P><P>The use of double quotes is slightly complicated. &nbsp;When appearing on the left-hand side of an assignment or in tabulation (including groupby terms), they enclose field names. &nbsp;In the right-hand side of an assignment or any other form of evaluation expression, they enclose literal strings.</P> Tue, 01 Nov 2022 05:16:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619045#M215150 yuanliu 2022-11-01T05:16:15Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619046#M215151 <P>As <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;says, quoting and eval is a little complicated and can be a little confusing</P><P>Just remember the rule with eval</P><P><STRONG><FONT color="#FF0000">Left hand side</FONT></STRONG>&nbsp;(LHS) of the eval statement can ONLY use double quotes and only if needed, e.g.&nbsp;</P><LI-CODE lang="markup">| eval "status"=case(...)</LI-CODE><P>does NOT need double quotes as it does not contain spaces and can be written as</P><LI-CODE lang="markup">| eval status=case(...)</LI-CODE><P>However, this left hand side MUST use double quotes, as it contains spaces</P><LI-CODE lang="markup">| eval "Total Errors"=123</LI-CODE><P>&nbsp;</P><P><STRONG><FONT color="#FF0000">Right hand side</FONT></STRONG>&nbsp;(RHS) of the eval&nbsp;</P><UL><LI>Is written without any quotes if a simple field name (e.g. just letters)<UL><LI>e.g. status</LI></UL></LI><LI>SINGLE quotes if the field contains certain special characters or starts with a number<UL><LI>e.g. 'Total Errors' or '1stValue' or 'my:Special:Field'</LI></UL></LI></UL><P>&nbsp;</P><P><STRONG><FONT color="#FF0000">Note</FONT></STRONG> though how the following seems confusing with treatment of LHS and RHS names</P><LI-CODE lang="markup">| eval 1stValue=123 | eval value='1stValue'</LI-CODE><P>Although the 1stValue assignment does NOT need double quotes on the LHS even though it starts with a number, the RHS DOES need single quotes, so eval does not start to treat it as a number.</P><P>&nbsp;</P><P>As a general rule, it is always safe to use SINGLE quotes round a field on the RHS. In your example, you put the 'Suman...' in single quotes, so Splunk thought that was a field you were assigning to new_field, hence it had no value.</P><P>&nbsp;</P> Tue, 01 Nov 2022 05:38:54 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619046#M215151 bowesmana 2022-11-01T05:38:54Z https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619047#M215152 <P>In addition to this - note that the previous comment applies to EVAL and NOT to other operations such as aggregations.</P><P>In that case, you will use double quotes - yes I know this is confusing - but take this for example where you have fields called</P><UL><LI>sale price</LI><LI>sale quantity</LI></UL><P>both contain spaces and need a single quote in the EVAL, but in the stats command, the sale quantity field needs to be encapsulated in DOUBLE quotes, not single quotes.</P><LI-CODE lang="markup">| eval "dollar price"='sale quantity' * 'sale price' | stats sum("dollar price") as "dollar total" sum("sale quantity") as quantity</LI-CODE><P>&nbsp;</P> Tue, 01 Nov 2022 05:49:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-eval-command-case-function-not-working/m-p/619047#M215152 bowesmana 2022-11-01T05:49:10Z