topic Re: eval function splunk in Splunk Search

eval function splunk

disha — Thu, 10 Jan 2013 21:18:47 GMT

In my search I need functionality like
My search...| if eventid=1 then "table a,b,c",if eventid=2 then "table c,d",if eventid =3 then "table p,q,r,s"
I tried eval case..but I am getting syntax error or it is not giving required output.
Please help.
Thanks.

Re: eval function splunk

jcoates_splunk — Thu, 10 Jan 2013 23:14:12 GMT

Hard to say without data, but I think you might be needing fillnull. I think that $mysearch needs to return everything that might be needed, so try putting fillnull value=NULL a b c d p q r s before the evals?

Re: eval function splunk

lguinn2 — Thu, 10 Jan 2013 23:51:06 GMT

The results of if statements and eval statements cannot be commands. So, to take jcoates answer a step further:

Assume that you have the fields a b c d p q r s. Then, do this

yoursearchhere
| table eventid a b c d p q r s

I don't think that you actually need the fillnull, although it shouldn't hurt.

Of course, this table will have field headers that may be empty. It's a little complicated, but you could do this

yoursearchhere
| eval list = case(eventid=="1", a + "\t" + b + "\t" + c,
                          eventid=="2", c + "\t" + d
                          eventid=="3", p + "\t" + q + "\t" + r+ "\t" + s)
| table list

BTW, I am hoping that "\t" will translate to the tab character. I haven't actually tried that part.

Re: eval function splunk

disha — Tue, 15 Jan 2013 00:30:53 GMT

Thankyou So much.