https://community.splunk.com/t5/Splunk-Search/Eval-If-Statement/m-p/242808#M72238 <P>Hi, I wonder whether someone may be able to help me please.</P> <P>Although I've been using Splunk for a few months now, I'm still coming against statements I've not see before. </P> <P>One of which is this <CODE>| eval verifiedButBounced=if('detail.verifiedButBounced'!="", 'detail.verifiedButBounced.count',0)</CODE></P> <P>Could someone possibly explain to me what this statement is actually doing and is there a more efficient way of writing this.</P> <P>Many thanks and kind regards</P> <P>Chris</P> Wed, 16 Mar 2016 08:10:33 GMT IRHM73 2016-03-16T08:10:33Z https://community.splunk.com/t5/Splunk-Search/Eval-If-Statement/m-p/242808#M72238 <P>Hi, I wonder whether someone may be able to help me please.</P> <P>Although I've been using Splunk for a few months now, I'm still coming against statements I've not see before. </P> <P>One of which is this <CODE>| eval verifiedButBounced=if('detail.verifiedButBounced'!="", 'detail.verifiedButBounced.count',0)</CODE></P> <P>Could someone possibly explain to me what this statement is actually doing and is there a more efficient way of writing this.</P> <P>Many thanks and kind regards</P> <P>Chris</P> Wed, 16 Mar 2016 08:10:33 GMT https://community.splunk.com/t5/Splunk-Search/Eval-If-Statement/m-p/242808#M72238 IRHM73 2016-03-16T08:10:33Z https://community.splunk.com/t5/Splunk-Search/Eval-If-Statement/m-p/242809#M72239 <P>So the <CODE>eval</CODE> command's <CODE>if</CODE> works just like the <CODE>IF</CODE> macro in Excel. The idea here the search is trying to "zero-fill" a field if the contents of the field is the empty string. This is a fairly common idiom, and can sometimes be replaced with the <CODE>coalesce</CODE> function like so:</P> <PRE><CODE>| eval verifiedButBounced = coalesce('detail.verifiedButBounced',0) </CODE></PRE> <P>The trickery here is the use of both <CODE>"</CODE> and <CODE>'</CODE>. In <CODE>eval</CODE>, a <CODE>.</CODE> (dot) character can be used to mean string concatenation. It can also be used in a field name, like if a field comes from JSON data. So if you have the string <CODE>detail.verifiedButBounced</CODE> do you mean a field named <CODE>detail.verifiedButBounced</CODE> or do you mean <CODE>detail</CODE> concatenated with <CODE>verifiedButBounced</CODE>? It is ambiguous! The eval command uses a single-quote around a field name to "escape" otherwise special characters within that field name. Double quotes are used to represent static strings. So your original eval could be expressed as:</P> <P>If the field named <CODE>detail.verifiedButBounced</CODE> is not equal to the string <CODE>""</CODE> then set the new field <CODE>verifiedButBounced</CODE> equal to the value of <CODE>detail.verifiedButBounced</CODE>. Otherwise, set the value of the new field <CODE>verifiedButBounced</CODE> equal to 0.</P> Wed, 16 Mar 2016 08:35:38 GMT https://community.splunk.com/t5/Splunk-Search/Eval-If-Statement/m-p/242809#M72239 dwaddle 2016-03-16T08:35:38Z https://community.splunk.com/t5/Splunk-Search/Eval-If-Statement/m-p/242810#M72240 <P>Hi @dwaddle, for confirmation the "detail.verifiedButBounced" is the name of the field.</P> <P>Thank you very much for the confirmation on the steps the statement is taking, it's very useful and will certainly help in the future.</P> <P>Kind Regards</P> <P>Chris</P> Wed, 16 Mar 2016 09:04:37 GMT https://community.splunk.com/t5/Splunk-Search/Eval-If-Statement/m-p/242810#M72240 IRHM73 2016-03-16T09:04:37Z