topic Re: How to get an "eval if else" condition to continue a search depending on the resulting field? in Splunk Search

How to get an "eval if else" condition to continue a search depending on the resulting field?

gamification — Thu, 11 Aug 2016 16:39:43 GMT

Hello,

I would like to know if it's possible to do certain part of search with if statement on a field.

For example:

index="test" | head 1 | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = strptime( field ,"%Y.%m.%d %H:%M.%S")

The problem here is field is sometimes null, sometimes not, so strptime may not work correctly. So what I would like to do is:

index="test | head 1 | eval field = lastUpdate | if field ="2014.01.12" ----> parse it | else .....

Don't focus on my example, the thing that I don't understand is how to do the if else.

Thanks for help.

Re: How to get an "eval if else" condition to continue a search depending on the resulting field?

somesoni2 — Thu, 11 Aug 2016 17:23:54 GMT

Try this

index="test" | head 1 | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = if(isnotnull(field),strptime( field ,"%Y.%m.%d %H:%M.%S"),now())

index="test" lastUpdate=* | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = strptime( field ,"%Y.%m.%d %H:%M.%S")

Re: How to get an "eval if else" condition to continue a search depending on the resulting field?

gamification — Fri, 12 Aug 2016 12:46:09 GMT

Thanks 🙂 helped me.