https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260980#M78312 <P>Hi, your query is a bit confusing.<BR /> Can you review and edit your question but using the Code Sample button (select your code then press the button with 1s and 0s) for your query in order to make sure no especial characters are omitted?</P> <P>Thanks,<BR /> J</P> Tue, 02 Feb 2016 14:36:16 GMT javiergn 2016-02-02T14:36:16Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260979#M78311 <P>All, </P> <P>I have the search below which is using eval and IF statement. I only want one of the search conditions to execute every time this search is called using the <CODE>$LOB$</CODE> variable. It appears the logic is correct and seems like other ppl have gotten this type of search to work, but the below does not work.</P> <P>To simplify my question, here is the logic </P> <PRE><CODE>| eval IF "(condition)",then, "Search1", else, "Search2" </CODE></PRE> <P>Any help on why this may not work??</P> <PRE><CODE>| eval (newLOB1=if(($LOB$ != "*"), "([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId | eval (newLOB=(replace("$LOB$","COF-","")) |where accountName=newLOB | stats count])"), "([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId | search accountName=* | stats count])")) </CODE></PRE> Tue, 02 Feb 2016 14:24:14 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260979#M78311 karthik40us 2016-02-02T14:24:14Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260980#M78312 <P>Hi, your query is a bit confusing.<BR /> Can you review and edit your question but using the Code Sample button (select your code then press the button with 1s and 0s) for your query in order to make sure no especial characters are omitted?</P> <P>Thanks,<BR /> J</P> Tue, 02 Feb 2016 14:36:16 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260980#M78312 javiergn 2016-02-02T14:36:16Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260981#M78313 <P>thanks..just reposted</P> Tue, 02 Feb 2016 14:42:33 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260981#M78313 karthik40us 2016-02-02T14:42:33Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260982#M78314 <P>Hi, I'm afraid that's not the way conditionals work in Splunk.</P> <P>This is what I would do instead:</P> <PRE><CODE>index=aws-ec2inventory | fields accountName, instanceId, PrivateIPAddress, "$LOB$" | dedup instanceId | eval newLOB = if("$LOB$" != "*", replace("$LOB$", "COF-", ""),"%") | where accountName=newLOB | stats count </CODE></PRE> <P>In principle that's the equivalent of your query but I'm still not sure about the following:</P> <PRE><CODE>newLOB1=if(($LOB$ != "*") </CODE></PRE> <P>What are you trying to achieve there? Is $LOB$ a token in your dashboard?</P> <P>Hope that helps,<BR /> J</P> Tue, 02 Feb 2016 15:00:07 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260982#M78314 javiergn 2016-02-02T15:00:07Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260983#M78315 <P>Thanks for the response !!.. you query worked only in cases where LOB !=" **" . If the variable LOB had * the results are 0. Any thoughts?. The below came back with 0 results </P> <PRE><CODE>index=aws-ec2inventory | fields accountName, instanceId, PrivateIPAddress, "*" | dedup instanceId | eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%") | where accountName=newLOB | stats count </CODE></PRE> Tue, 02 Feb 2016 15:52:42 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260983#M78315 karthik40us 2016-02-02T15:52:42Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260984#M78316 <P>it almost feels like IF statement does not like "star" **</P> Tue, 02 Feb 2016 15:54:42 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260984#M78316 karthik40us 2016-02-02T15:54:42Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260985#M78317 <P>Also it worked for "**" if i removed the below line from the code</P> <PRE><CODE>| where accountName=newLOB </CODE></PRE> Tue, 02 Feb 2016 16:10:10 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260985#M78317 karthik40us 2016-02-02T16:10:10Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260986#M78318 <P>Hi, I'm now even more confused about what you are trying to do with the LOB variable. * is a wildcard that matches any character but it won't work as that in a where, because it works like an SQL where and you have to use percentage (%) instead.</P> <P>So, can you give me an example with two simple tables about what you are trying to achieve so that I can understand a bit better?</P> <P>This line here is killing my eyes <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> <PRE><CODE>| eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%") </CODE></PRE> Tue, 02 Feb 2016 16:31:34 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260986#M78318 javiergn 2016-02-02T16:31:34Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260987#M78319 <P>By the way, if you just want to check whether a field is null or not you can use the isnull or isnotnull functions as part of your eval.</P> Tue, 02 Feb 2016 16:33:12 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260987#M78319 javiergn 2016-02-02T16:33:12Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260988#M78320 <P>The goal is to do a count on $LOB$ (i.e account Name) within aws-ec2inventory index .</P> <P>I am getting $LOB$(i.e account name) as dropdown box from a dashboard panel </P> <P>If the $LOB$ is a ** (wildcard) then i need to provide a stats count on ALL </P> <P>If the $LOB$ is not a ** then i am performing a replace function and providing a count for that particular account Name/$LOB$ </P> <P>table</P> <P>LOB (dropdown input from dashboard)<BR /> All ----&gt; (the value for this * )<BR /> COF-abcd-prod<BR /> COF-efgh-Dev<BR /> COF-njkd-Prod</P> Tue, 02 Feb 2016 17:17:51 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260988#M78320 karthik40us 2016-02-02T17:17:51Z https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260989#M78321 <P>Figured it out ..it was the where clause that was the issue and used LIKE instead...thanks for your help</P> Tue, 02 Feb 2016 22:09:29 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searching-using-eval-command/m-p/260989#M78321 karthik40us 2016-02-02T22:09:29Z