topic Re: Why does my search with an eval if condition always return false? in Splunk Search

Why does my search with an eval if condition always return false?

cdstealer — Tue, 16 Jun 2015 11:22:11 GMT

Hi,

I'm having difficulty in using a field in a dashboard. I have 3 fields that I'm trying to use some logic with.

qos_metric, qos_bandwidth & qos_thruput

I tried this, but it always returns false:

   | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)

The index always contains qos_bandwidth & qos_thruput together, but I only require one.

The logic:
if qos_metric == Bandwidth then qos_unit contains the value of qos_bandwidth, else qos_unit contains the value of qos_thruput.

The search (to add context):

Index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class | eval _span=4

I hope I explained OK.

Re: Why does my search with an eval if condition always return false?

fdi01 — Tue, 16 Jun 2015 11:30:07 GMT

if "Bandwidth" is an field, try like :

index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(qos_metric == Bandwidth, qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class | eval _span=4

or
if "Bandwidth" is an string , the you querry is verry OK .

Re: Why does my search with an eval if condition always return false?

cdstealer — Tue, 16 Jun 2015 11:38:48 GMT

Hi fdi01, Thanks for the reply. The quotes (with/without) make no difference. 😞

Re: Why does my search with an eval if condition always return false?

stephanefotso — Mon, 28 Sep 2020 20:16:38 GMT

Hello! I think the error should be your avg(qos_unit) and avg(qos_metric_value). Make sure that qos_unit and qos_metric_value have numerical values since avg will only work with numerical values. If not, try another function

Thanks.

Re: Why does my search with an eval if condition always return false?

cdstealer — Tue, 16 Jun 2015 12:42:18 GMT

Hi, The two fields only contain integers. And I've pretty much worked my way through doc.

Re: Why does my search with an eval if condition always return false?

woodcock — Tue, 16 Jun 2015 13:33:01 GMT

You explained everything except for the problem that you are having. According to your "question" everything is A-OK and working fine. IMHO there is nothing wrong with your search string with the exception that the final clause ( | eval _span=4 ) is useless and does nothing (which makes me think that you are trying to have it do something, which maybe is the "unspoken problem" that you are having). Clarify your problem and maybe we can help you. In any case, the search you posted should do exactly as you indicated is your desire.

Re: Why does my search with an eval if condition always return false?

stephanefotso — Tue, 16 Jun 2015 14:26:29 GMT

Run your search without a token and let know what happen

Index=storage_arrays sourcetype=qos dev_name=* qos_class=* | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class

Re: Why does my search with an eval if condition always return false?

cdstealer — Mon, 28 Sep 2020 20:18:15 GMT

Hi, I removed the |eval span=4 to be safe which made no difference. The problem that I'm having is that the if-then-else is alway returning false which make qos_unit always have the value of qos_thruput even if qos_metric is Bandwidth. So to explain:

If qos_metric = bandwidth then let qos_unit contain qos_bandwidth values else qos_unit contains qos_thruput values.

Re: Why does my search with an eval if condition always return false?

woodcock — Tue, 16 Jun 2015 15:06:14 GMT

Try this:

Index=storage_arrays sourcetype=qos dev_name=$device$ qos_class=$class$ | eval qos_unit=if(like(qos_metric,"%Bandwidth%"), qos_bandwidth, qos_thruput) | chart avg(qos_unit) as "QoS" avg(qos_metric_value) as Limit over _time by qos_class

The only reason that this makes sense ("if" is always true) is if your test is not what you think it is; this test is a little more flexible to accommodate bounding whitespace.

Re: Why does my search with an eval if condition always return false?

cdstealer — Wed, 17 Jun 2015 07:00:56 GMT

Hi, Thanks again. Still no joy 😞 Though I have sorted it another way 🙂 Answer to follow.

Re: Why does my search with an eval if condition always return false?

cdstealer — Mon, 28 Sep 2020 20:18:38 GMT

Instead of trying to go through an eval condition, I've created an input with the static values Name=Bandwidth Value=qos_bandwidth, Name=Throughput,Value=qos_thruput. I then removed the entire eval statement. This seems to work as expected 🙂 It just means a manual step rather than automated.

index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | chart avg($qosVol$) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class

Thank you for all your time.

EDIT

Managed to automate it and thought I'd add it just in case.

index="storage_arrays" sourcetype="qos" dev_name="$device$" qos_class="$class$" | fields qos_class dev_name qos_metric qos_bandwidth qos_thruput qos_metric_value | transaction qos_metric qos_bandwidth qos_thruput qos_class dev_name | eval qos_unit=if(qos_metric == "Bandwidth", qos_bandwidth, qos_thruput)| chart avg(qos_unit) as "QoS" avg(qos_metric_value) as "Limit" over _time by qos_class

Breakdown:

<main search populated by form options> | <only return the fields I'm interested in> | <merge the fields> The "qos_metric" field is from a second source, so creates a separate event to the other fields. | <If statement so if qos_metric is Bandwidth only return qos_bandwidth value, else qos_thruput values.> | <stick it in a chart so we can do pretty graphs>

Thanks