https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674661#M230934 <P>Hello,&nbsp; I've been researching this online for over a day and nothing seems to be working for me.&nbsp; I have 2 EVAL IF statements that simply looks at the network.connectType field.&nbsp;&nbsp;</P><P>| eval MOBILE=if(network.connectType="MOBILE","1","0")</P><P>| eval WIFI=if(network.connectType="WIFI","1","0")</P><P>I am in need of creating a table that would show the count of MOBILE, WIFI, TOTAL, by Branch.</P><P>i.e&nbsp; Branch | Total | WIFI | MOBILE</P><P>I'm able to create the table, but the two evals always show the same counts as the Total count.&nbsp; I can't figure out why I am doing wrong.</P><P>The search I am using is the following:</P><P>index=main "details.package"="com.siteone.mobilepro", "details.tag"="Connectivity Service", event=NoConnectivityEvent, "details.message.additionalInfo.NetworkAccessStatus"="None"<BR />| fields network.connectType, event, userSettings.site<BR />| eval MOBILE=if(network.connectType="MOBILE","1","0")<BR />| eval WIFI=if(network.connectType="WIFI","1","0")<BR />| stats values("userSettings.site") as Branch, count(event) as "Total Disconnects", count(MOBILE) as "Cellular Disconnects", count(WIFI) as "Wifi Disconnects" by "userSettings.site"<BR />| table Branch, "Total Disconnects", "Wifi Disconnects", "Cellular Disconnects"</P><P>&nbsp;</P><P>Any help on this would be awesome and much appreciated.</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 Jan 2024 13:50:49 GMT mninansplunk 2024-01-18T13:50:49Z https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674661#M230934 <P>Hello,&nbsp; I've been researching this online for over a day and nothing seems to be working for me.&nbsp; I have 2 EVAL IF statements that simply looks at the network.connectType field.&nbsp;&nbsp;</P><P>| eval MOBILE=if(network.connectType="MOBILE","1","0")</P><P>| eval WIFI=if(network.connectType="WIFI","1","0")</P><P>I am in need of creating a table that would show the count of MOBILE, WIFI, TOTAL, by Branch.</P><P>i.e&nbsp; Branch | Total | WIFI | MOBILE</P><P>I'm able to create the table, but the two evals always show the same counts as the Total count.&nbsp; I can't figure out why I am doing wrong.</P><P>The search I am using is the following:</P><P>index=main "details.package"="com.siteone.mobilepro", "details.tag"="Connectivity Service", event=NoConnectivityEvent, "details.message.additionalInfo.NetworkAccessStatus"="None"<BR />| fields network.connectType, event, userSettings.site<BR />| eval MOBILE=if(network.connectType="MOBILE","1","0")<BR />| eval WIFI=if(network.connectType="WIFI","1","0")<BR />| stats values("userSettings.site") as Branch, count(event) as "Total Disconnects", count(MOBILE) as "Cellular Disconnects", count(WIFI) as "Wifi Disconnects" by "userSettings.site"<BR />| table Branch, "Total Disconnects", "Wifi Disconnects", "Cellular Disconnects"</P><P>&nbsp;</P><P>Any help on this would be awesome and much appreciated.</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 Jan 2024 13:50:49 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674661#M230934 mninansplunk 2024-01-18T13:50:49Z https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674662#M230935 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237490">@mninansplunk</a>,</P><P>sometimes ields with dot insied don't work in eval, so you have two solutions:</P><P>use quotes:</P><LI-CODE lang="markup">| eval MOBILE=if("network.connectType"="MOBILE","1","0") | eval WIFI=if("network.connectType"="WIFI","1","0")</LI-CODE><P>or use a rename before the eval:</P><LI-CODE lang="markup">| rename network.connectType AS network_connectType | eval MOBILE=if(network_connectType="MOBILE","1","0") | eval WIFI=if(network_connectType="WIFI","1","0")</LI-CODE><P>I prefer the second solution.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 18 Jan 2024 13:53:47 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674662#M230935 gcusello 2024-01-18T13:53:47Z https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674663#M230936 <P>count(MOBILE) and count(WIFI) are merely counting the instances where the field is present (not null). Since you have set them to either 1 or 0, they are always present. Either set them to 1 or null(), or use sum(MOBILE) and sum(WIFI) instead</P> Thu, 18 Jan 2024 13:55:59 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674663#M230936 ITWhisperer 2024-01-18T13:55:59Z https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674674#M230937 <P>Awesome, that did the trick, thank you very much for the quick help!!!</P><P>Thanks</P> Thu, 18 Jan 2024 14:25:34 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674674#M230937 mninansplunk 2024-01-18T14:25:34Z https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674681#M230939 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237490">@mninansplunk</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 18 Jan 2024 14:49:23 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-on-why-my-eval-if-statement-isn-t-working/m-p/674681#M230939 gcusello 2024-01-18T14:49:23Z