topic Re: Why won't my multiple "eval if match" expressions work? in Splunk Search

Why won't my multiple "eval if match" expressions work?

jsven7 — Fri, 16 Oct 2015 17:21:12 GMT

I'm trying to check a field for an OS. If Windows, then replace the entire field with "Windows". If mac is found, then replace the entire field with "Mac" Etc. It seems like only the second match works. Anyone know why?

Current Search:

...
| eval OS=if(match(User_Agent,"mac"),"Macintosh",User_Agent)
| eval OS=if(match(User_Agent,"windows"),"Windows",User_Agent)

Sample Data:

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; PRU_IE; rv:11.0) like Gecko
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18

Re: Why won't my multiple "eval if match" expressions work?

aljohnson_splun — Fri, 16 Oct 2015 17:51:29 GMT

Did you try capitalizing the m and w of mac and windows in your match function ?

Re: Why won't my multiple "eval if match" expressions work?

jkat54 — Tue, 29 Sep 2020 07:35:14 GMT

You're matching on the field User_Agent for patterns like "mac" and windows". So I ask, does the User_Agent field exist on "mac" data? If so, can you please post example?

or you can show us what matches this search maybe?
...|dedup User_Agent | table User_Agent

Re: Why won't my multiple "eval if match" expressions work?

jkat54 — Fri, 16 Oct 2015 17:56:54 GMT

That was my first thought, but he says windows match is working so I asked for a list of User_Agent values.

Re: Why won't my multiple "eval if match" expressions work?

HiroshiSatoh — Tue, 29 Sep 2020 07:35:17 GMT

It 's looks like this?

ex.)
User_Agent："mac"

| eval OS=if(match(User_Agent,"mac"),"Macintosh",User_Agent)
OS:Macintosh
| eval OS=if(match(User_Agent,"windows"),"Windows",User_Agent)
OS:mac

Try this!

your search |eval OS = case(match(User_Agent,"mac"), "Macintosh", match(User_Agent,"windows"), "Windows",1==1,User_Agent)

Re: Why won't my multiple "eval if match" expressions work?

martin_mueller — Fri, 16 Oct 2015 18:19:52 GMT

You're writing the OS field in the second eval, regardless of a match or not: Either with "Windows" or with User_Agent. Instead, make the if() preserve the current value like this:

...
| eval OS=if(match(User_Agent,"(?i)mac"),"Macintosh",OS)
| eval OS=if(match(User_Agent,"(?i)windows"),"Windows",OS)

Note that I made the regular expressions case insensitive. Additionally, be careful about accidentally matching other parts of the string. I'm pretty sure the web already has working examples of how to regex out the OS from a user agent, maybe even on splunkbase.

Re: Why won't my multiple "eval if match" expressions work?

DeronJensen — Fri, 16 Oct 2015 18:23:25 GMT

They are both working, but your second eval is overwriting the OS value of your first.

Change the second to:

| eval OS=if(match(User_Agent,"windows"),"Windows",OS)

Re: Why won't my multiple "eval if match" expressions work?

jsven7 — Fri, 16 Oct 2015 18:42:33 GMT

Sorry, the sample data is raw. In the code I had the sample data all lowercased.

Re: Why won't my multiple "eval if match" expressions work?

jsven7 — Tue, 29 Sep 2020 07:37:41 GMT

Sorry I don't understand your question. Are you asking if there is a User_Agent field that contains the literals, 'mac'? If so yes.

Below is a field where with the above code I expect it to be 'Macintosh' because of the literal 'mac' contained in it.
junospulseipad/iphone mozilla/5.0 (ipad; cpu os 9_0_2 like mac os x) applewebkit/601.1.46 (khtml, like gecko) mobile/13a452 junospulse(version-5.0.8.50589)ipad/iphone

Re: Why won't my multiple "eval if match" expressions work?

aljohnson_splun — Fri, 16 Oct 2015 19:09:33 GMT

BOOM ! This is the answer.

Re: Why won't my multiple "eval if match" expressions work?

jsven7 — Fri, 16 Oct 2015 19:30:18 GMT

Ok. I understand that I'm having a logic issue. I don't see it though. This example works as I want to use it for multiple matches. Appreciate it.

Re: Why won't my multiple "eval if match" expressions work?

jsven7 — Fri, 16 Oct 2015 19:32:06 GMT

Thank you HiroshiSatoh. This works. Only thing is that I tried to copy-cat the logic for multiple searches and I ran into issues. I'm new to Splunk!

Re: Why won't my multiple "eval if match" expressions work?

jsven7 — Fri, 16 Oct 2015 19:33:52 GMT

Everyone said, "your overwriting". For some reason when I read your "you're overwriting" the light bulb turned on. Thanks.

Re: Why won't my multiple "eval if match" expressions work?

jsven7 — Fri, 16 Oct 2015 19:34:40 GMT

I understand the bad overwrite now. Thanks.

Re: Why won't my multiple "eval if match" expressions work?

becksyboy — Thu, 22 Nov 2018 10:53:15 GMT

This works for me, thanks!