topic Re: How to use eval with IF? in Splunk Search

How to use eval with IF?

LH_SPLUNK — Thu, 25 Jan 2018 10:55:02 GMT

eval A=if(source == "source_a.csv", "1" , "0")

The result is 0 in every entry. What is wrong?
I have two sources source_a.csv and source_b.csv, so there must be entries with 1 and 0?

Re: How to use eval with IF?

cmerriman — Thu, 25 Jan 2018 12:54:10 GMT

are you sure that source_a.csv is in any of the events? it is spelled correctly? have you tried with only one = instead of ==, not that it should make a difference at all. also, what version of splunk are you on?

Re: How to use eval with IF?

FrankVl — Thu, 25 Jan 2018 13:13:24 GMT

No need to add a double == sign. Just source="filter-string" will do. But that shouldn't break things (at least it doesn't in my test box).

Are you sure those are the source values of your events? Just the filename, no path included? Can you provide a screenshot of the actual event with the source field visible?

Re: How to use eval with IF?

Elsurion — Thu, 25 Jan 2018 15:06:12 GMT

I've tried a few settings.
What can be, that the source_a.csv has a path in the field, like in the metrics.log example (source = /opt/splunk/var/log/splunk/metrics.log) , if so then you could use this if pattern.

index=_internal
| eval a=if(source like "%metrics.log","1","0")

If the field source is only "source_a.csv", then you can use the noted if pattern.

    index=_internal
    | eval a=if(source="metrics.log","1","0")

Re: How to use eval with IF?

nickhills — Thu, 25 Jan 2018 16:09:49 GMT

The format I use for this is:

...|eval  A=if(like(source,"%source_a.csv"), "1" , "0")

Re: How to use eval with IF?

niketn — Thu, 25 Jan 2018 16:28:50 GMT

@LH_SPLUNK, ususally source name is fully qualified path of your source i.e. besides the file name it will also contain the path details. So, your condition should not find an exact match of the source filename rather than it should be a pattern of ending with filename. Following is a run anywhere example illustrating the difference in your approach vs regular expression pattern match for source using match()

| makeresults
| eval source="source_a.csv,source_b.csv,/blah/blah/source_a.csv,/blah/blah/source_b.csv"
| makemv source delim=","
| mvexpand source
| eval A=if(source == "source_a.csv", "1" , "0")
| eval B=case(match(source,"source_a.csv$"),"1",match(source,"source_b.csv$"),"0")

PS: like() option suggested by @nickhillscpl, should also work. match() is case sensitive.

Re: How to use eval with IF?

yobackman — Sat, 07 Nov 2020 00:16:50 GMT

Thanks for the above info about using like. I ran into this issue when trying to match a field value inside an if.

eval Environment=if( host="*beta*","BETA","PROD" )

This returns all events with the Environment field value as PROD.

It worked as expected once I changed to:

if( like( host, "%beta%" ), "BETA", "PROD" )