Hi, I wonder whether someone may be able to help me please.
I'm starting to get to grips with the 'If' statements and understand the basics around these. But I'm using an existing query which contains the line as shown below.
I would understand this if it didn't have the 1 at the end of the statement, but I just wondered whether someone could explain what the 1 actually does.
|eval Interstitpage=if('detail.journey'="Interstitial",1, 0 )
In addition could someone tell me please would it more efficient to use the "searchmatch" I've read about, and if, could someone possibly explain I may incorporate it into this example.
Many thanks and kind regards
The eval statement is creating a pseudo-boolean variable and setting its value. If the detail.journey field has the value "Interstitial" then Interstitpage is set to 1 to represent 'true'; otherwise it is set to 0 to represent 'false'.
I've not used the searchmatch function in part because it is poorly documented. Chatter about it on Answers, however, indicate including a field name in searchmatch can be problematic.
Hi @richgalloway, thank you for taking the time to reply to my post, so in essence it's looking to see if a value exists?
So if I've undertsood it correctly in another example I have here:
eval NewUserOptedOut=if(('detail.digital'="false") AND ('detail.journey'="Interstitial"),1, 0 )
Am I correct in saying that if both "detail.digitial="false AND "detail.journey"=Intersitial" then set the result to "True", if not set to "False"?
Many thanks and kind Regards
Yes, you are correct, except that NewUserOptedOut will not be a true Boolean variable. That is, a statement like
if (NewUserOptedOut, foo, bar) won't work. It would have to be
if (NewUserOptedOut==1, foo, bar).
Hi, my apologies. I was just a little confused by your reply where you highlighted that "NewUserOptedOut" would not be a true boolean. I guess I put 2 and 2 together and came up with 5.
Is there any chance you could elaborate on your answer please.
Many thanks and kind regards
A true Boolean value holds the result of an assertion (a yes/no test). It's actual content is known only to the "operating system". Booleans cannot be used with an [in]equality operator because we don't know what to compare them to.
Many programming languages, like C, don't use true Booleans. They assign numeric values to "true" and "false" which allows for constructs such as 'if foo == 0' (a statement which is true if foo is false).
Before we get too far off-track, the original eval command is converting a Boolean expression ('detail.journey'="Interstitial") into a numeric expression (1 or 0) for some later use. Splunk restricts how Booleans can be used in some commands, but converting the Boolean to an integer removes those restrictions.
Hi, thank you for coming back to me with this. This explanation helps a great deal, so thank you for taking the time to put it together.