Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Can you help me with a problem using conditionals ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I'm struggling to get an eval macro working using conditionals (either case or if statement).
No matter what I try, I seem to get either Null result, or an error about expecting a string.
My use case is that I'm trying to compare a time period with the same time period on the same day of the week over several previous weeks.
For example, if i'm looking at response times between 14:00 and 14:30 on a Monday afternoon, I want to look back over the previous several weeks and determine the average for that time period.
This is easy enough when using normal eval statements, but with millions of events to run the evals on, it takes forever, so I'd like to use macros in my initial search to speed things up.
So, ideally, I want to have a macro that takes _time as a param, and then returns a string so I can include FilterTime(_time)="True" or something similar in my initial search.
Now, onto my actual problem — conditionals never work. Even when I do a super basic macro that doesn't take params, I don't get the expected results.
For example this eval macro:
case(4 > 5, "No", 5 > 4, "Yes", 1=1, "Shrug")
Returns Null (Instead of "Yes", or even "Shrug") when I call it like this:
|makeresults|eval keep=tostring(`FilterDates(weeks)`)
My actual macro will be far more complex, and I can build the individual statements, but conditionals just aren't returning. Does anyone have any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
When creating the macro, did you enable Use eval-based definition (iseval = 1)?
If so, the macro will return a string. In your example that would be Yes, without quotes. Now tostring(Yes) in your search will return Null.
I tried it differently:
Name: FilterDates(1)
Definition: case(4>5,"No",5>4,"Yes",1=1,"Shrug")
Use eval-based definition: No
Arguments: arg1
Now when I search for
| makeresults count=1 | eval keep=`FilterDates(weeks)`
then I get:
keep
Yes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
When creating the macro, did you enable Use eval-based definition (iseval = 1)?
If so, the macro will return a string. In your example that would be Yes, without quotes. Now tostring(Yes) in your search will return Null.
I tried it differently:
Name: FilterDates(1)
Definition: case(4>5,"No",5>4,"Yes",1=1,"Shrug")
Use eval-based definition: No
Arguments: arg1
Now when I search for
| makeresults count=1 | eval keep=`FilterDates(weeks)`
then I get:
keep
Yes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou! This was the important part:
In your example that would be Yes, without quotes
You are entirely correct, its returning an unquoted string which was causing my issues.
If I include escaped double quotes in the string it works (ie: "\"Yes\"")
This seems counter intuitive to me, but I think I can work with it now.
Thanks again!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
