https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317940#M95132 <P>when i run this:</P> <PRE><CODE>|makeresults|eval "(g)Location"="Varonis" |eval MonitoringStatus="notMonitored"|eval Path="Hosting"| eval VaronisStatus=if(('(g)Location'!="Varonis" AND (MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required", "No Action Required") </CODE></PRE> <P>i get "No Action Required" and when i change the <CODE>(g)Location</CODE> to <STRONG>notVaronis</STRONG>, I get <STRONG>Action Required</STRONG></P> <P>what exactly isn't working with this?</P> Wed, 17 Jan 2018 13:30:56 GMT cmerriman 2018-01-17T13:30:56Z https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317938#M95130 <P>My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used case and if statement to determine this, however none of these have worked.</P> <OL> <LI>Location does not equal Varonis (i.e equals Not in Varonis)</LI> <LI>MonitoringStatus does not equal Monitored (i.e equals Not Monitored)</LI> <LI><P>Contains the word "Hosting" in the Path field</P> <P>| eval VaronisStatus=if(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required", "No Action Required")</P> <P>|| eval VaronisStatus=case(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required" , 1=1,"No Action Required") </P></LI> </OL> Wed, 17 Jan 2018 13:13:01 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317938#M95130 davidcraven02 2018-01-17T13:13:01Z https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317939#M95131 <P>try this run anywhere search </P> <PRE><CODE>|makeresults|eval "(g)Location"="Varonis" |eval MonitoringStatus="NotMonitored"|eval Path="Hosting"| eval VaronisStatus=if('(g)Location'!="Varonis" AND MonitoringStatus!="Monitored" AND like(Path,"%Hosting%"),"Action Required", "No Action Required") </CODE></PRE> <P>you should try</P> <PRE><CODE>| eval VaronisStatus=if('(g)Location'!="Varonis" AND MonitoringStatus!="Monitored" AND like(Path,"%Hosting%"),"Action Required", "No Action Required") </CODE></PRE> <P>let me know if this helps !</P> Wed, 17 Jan 2018 13:25:21 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317939#M95131 mayurr98 2018-01-17T13:25:21Z https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317940#M95132 <P>when i run this:</P> <PRE><CODE>|makeresults|eval "(g)Location"="Varonis" |eval MonitoringStatus="notMonitored"|eval Path="Hosting"| eval VaronisStatus=if(('(g)Location'!="Varonis" AND (MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required", "No Action Required") </CODE></PRE> <P>i get "No Action Required" and when i change the <CODE>(g)Location</CODE> to <STRONG>notVaronis</STRONG>, I get <STRONG>Action Required</STRONG></P> <P>what exactly isn't working with this?</P> Wed, 17 Jan 2018 13:30:56 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317940#M95132 cmerriman 2018-01-17T13:30:56Z https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317941#M95133 <P>Both of your approaches work on my system with test events. I don't see any functional difference between your first approach and the one suggested by @mayurr98 below, but if it works for you, great. If it doesn't, can you share some sample events that are being incorrectly categorized?</P> Wed, 17 Jan 2018 14:04:11 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-statement-not-correct/m-p/317941#M95133 elliotproebstel 2018-01-17T14:04:11Z