topic Re: Why is my eval if() not working consistantly in Splunk Search

Why is my eval if() not working consistantly

rrustong — Fri, 13 Oct 2017 19:10:05 GMT

I'm having a difficult time getting what I believe is a simple eval command to work as I would expect. What I'm trying to accomplish is to convert a 1 or 0 into Yes or No respectively. I'm able to do so just fine on one field, but 2 others are giving me a problem. Here's the search I'm running:

| rest /servicesNS/-/-/saved/searches 
| search action.myAction=1 
| foreach action.myAction.param.myParam1 action.myAction.param.myParam2 is_scheduled [eval <<FIELD>>=if(isnull(<<FIELD>>),<<FIELD>>,if(<<FIELD>>=1,"Yes","No"))]
| rename action.myAction.param.myParam1 as param1, action.myAction.param.myParam2 as param2</pre>

I had to add the isnull check as the 2 param fields do not always have data in them and the search would not run without the isnull. This search does result in Yes/No values in the is_scheduled field, but the param fields remain unchanged. To my knowledge, Splunk is treating them as numbers as they are right-justified in the results table.

Here is some sample output from the above search:

title, param1, param2, is_scheduled
alert1, , yes
alert2, 1, 1, Yes
alert3, 1, 0, Yes
alert4, 0, 0, Yes

I have also tried adding another field to test whether the data is a string, number or null, but end up with very strange results from that. I added the following lines between the search and foreach lines to get the results below:

| eval isNumber=if(isNum(action.myAction.param.myParam1),"yes","no")
| eval isString=if(isStr(action.myAction.param.myParam1),"yes","no")
| eval isNull=if(isNull(action.myAction.param.myParam1),"yes","no")

Results:
title, param1, param2, is_scheduled, isNumber, isString, isNull
alert1, , yes, no, no, yes
alert2, 1, 1, Yes, no, no, yes
alert3, 1, 0, Yes, no, no, yes
alert4, 0, 0, Yes, no, no, yes

I have copied and pasted the field name everywhere within the command to make sure I haven't typo'd anything and I have tried renaming the fields prior to the eval command and using the renamed field instead of the original, but that changes nothing. I have also tried doing it outside a foreach loop, but still get the same results.

What am I missing? Is there a better way to accomplish what I'm trying to do?

Re: Why is my eval if() not working consistantly

elliotproebstel — Fri, 13 Oct 2017 20:34:44 GMT

I know you say you tried renaming the field before the eval, but I suspect that there might have been an error when you were testing that. Compare the following two:
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | foreach test.testing1.testing test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]
and
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | rename test.test1.testing AS test1 | foreach test1 test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]

When I run these, the first shows this - which matches your test results (note that the value of the first variable remains unchanged):

count  test.test1.testing  test2   test3

0       thing                other  renamed

and the second (which renames the field name test.test1.testing to test1 before the foreach and eval loop) gives me the desired result:

count  test1   test2   test3

0       renamed  other  renamed

Re: Why is my eval if() not working consistantly

rrustong — Fri, 13 Oct 2017 21:44:52 GMT

You are correct. I know I did test with renaming before the eval, but must have done something wrong as it's working now.

Thanks!

Re: Why is my eval if() not working consistantly

elliotproebstel — Sat, 14 Oct 2017 01:31:18 GMT

Glad I could help! I know how frustrating it is to test all possible error conditions for complex searches. 🙂