topic Re: Search in eval if in Splunk Search

Search in eval if

pranaynanda — Mon, 22 May 2017 08:34:52 GMT

I want to do something like

...base search | eval Mod=if(Module=Excel OR Module=Word, [search extension=xls OR extension=xslx OR extension=doc OR extension=docx|stats count by extension],"It is not an MS Office document")...

I always keep running into an error that says the search encountered an unexpected character. Please help.

Re: Search in eval if

dineshraj9 — Mon, 22 May 2017 09:03:43 GMT

Can you explain what is the output you are expecting?

Mod is variable and the if condition if first case returns a table and not a single value, and in second case is set with a text message.

Re: Search in eval if

pranaynanda — Mon, 22 May 2017 09:29:43 GMT

I basically want to search different if the condition matches or fails.

Re: Search in eval if

niketn — Mon, 22 May 2017 15:50:48 GMT

You will have to give more details of what you are trying to do in else condition and what is the query you might run.

Also sample mock fields for Office and Not-office documents.

Re: Search in eval if

DalJeanis — Mon, 22 May 2017 17:41:16 GMT

Try something like...

...base search 
| eval myExt=if(extension="xls" OR extension="xlsx" OR extension="doc" OR extension="docx",extension,"Not MS Office")
| stats count by myExt

Re: Search in eval if

pranaynanda — Wed, 24 May 2017 03:25:31 GMT

Basically, If the condition happens to be true, I want it to search by extension and return with stats. Otherwise, in the else part, I wish to run a regex.

Re: Search in eval if

pranaynanda — Wed, 24 May 2017 03:43:05 GMT

Well basically, in the base search it's something like Module=$field2$ that is guided by a drop down box. I wish to check if the module is A or if module is B then run this search otherwise run a regex.

Re: Search in eval if

pranaynanda — Wed, 24 May 2017 05:58:29 GMT

would something like this be valid?

... Module=Excel| eval Modx=if(Module="Excel" , "extension=xls OR extension=xlsx","extension=doc OR extension=docx") | search Modx

Re: Search in eval if

pranaynanda — Wed, 31 May 2017 12:38:22 GMT

That doesn't work for me. in the base search it's like if Module=$field2$. So if the module matches some value x, I want to search something and display a chart. Otherwise I want to search something else and display a different chart.

Re: Search in eval if

alemarzu — Wed, 31 May 2017 13:02:59 GMT

Hi there, please try addin single quotes ' before and after the brackets, like this.

...base search | eval Mod=if(Module=Excel OR Module=Word, '[search extension=xls OR extension=xslx OR extension=doc OR extension=docx|stats count by extension]',"It is not an MS Office document")...

Hope it helps.

Re: Search in eval if

pranaynanda — Thu, 01 Jun 2017 08:29:56 GMT

How will I get the output out of it? How will I get results of Mod?

Re: Search in eval if

dhivyamu — Fri, 08 Nov 2019 15:44:56 GMT

where you able to solve this issue?