Splunk Search

Can I use an eval statement inside an if statement?

Mohsin123
Path Finder

Hi ,

Can I use an eval statement inside an if?

I have to implement something like this :

I have two fields : one country code and another area code .
I have to give list of employee ids who have country code as NZ , country code not like AU and area code like 2345

Can anyone help me with this?

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| eval employee_satisfied = case(
   countrycode=NZ AND countrycode!=AU, a,
   areacode=2345, b,
   true(), "Not satisfied")

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

| eval employee_satisfied = case(
   countrycode=NZ AND countrycode!=AU, a,
   areacode=2345, b,
   true(), "Not satisfied")
0 Karma

@shraddhamuduli, Sorry without data and proper explanation, it is not clear what you want to do. Please provide more details on what you currently have and what you expect. Also provide the current query that you have tried.
Do you need something like following where country code and area code fields are country_code and area_code respectively?

<yourSearch>
| eval employee_type=case(country_code="NZ","TypeA",country_code="AU" AND area_code=2345,"TypeB",true(),"TypeOthers")
| stats count by employee_type
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Mohsin123
Path Finder

hi ,
i'm computing this :
failure=Uniq(# transaction_id having Req-in, NO Req-out and Response out with status-code=500)/ Uniq(# transaction_id of Req-in)

fields : logpoint, transaction-id,status-code
logpoint values: request-in,request-out,response-in,response-out

to translate this :
failure is the computation result
Numerator : unique transaction ids for those logpoints which have request in and no request out AND response out with status code as 500)
NOTE : every logpoint has a status code
so by response code with status cod=500 means only for response-out
Denominator: unique transaction ids with logpoint as request-in

0 Karma

Mohsin123
Path Finder

Also Niket,

Can i use 2 where condition in a single search , each where should be made on the base search

0 Karma

Mohsin123
Path Finder

eval a = if( countrycode=NZ and countrycode!=AU , then a= employee ids of both the satisfying condition
eval b=if(areacode=2345, then b=employee ids of the satisfying condition
combine a and b into c

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Splunk eval syntax will look like this

| eval <NEW FIELD NAME> = if(<CONDITION>, <TRUE>, <FALSE>)

There's no than inside it

0 Karma

FrankVl
Ultra Champion

Still not very clear what your end goal is here.

countrycode=NZ and countrycode!=AU is a bit of a pointless condition. If countrycode=NZ, it cannot at the same time be AU. So that and countrycode!=AU is redundant here.

You want one set of employee IDs based on countrycode filter in field a and one set of employee IDs based on areacode filter in field b?
Rather than trying to write a solution, can you just functionally/conceptually explain what you want to do?

0 Karma

FrankVl
Ultra Champion

Can you clarify the data you have (screenshots are most helpful usually) and what exactly you want to achieve?

You're asking for an eval inside an if, but then you say you just need to filter a list of employees based on country code and area code. That sounds like something you can do with a simple search query. What do you think you need the eval for?

0 Karma

Mohsin123
Path Finder

eval a = if( countrycode=NZ and countrycode!=AU , then a= employee ids of both the satisfying condition
eval b=if(areacode=2345, then b=employee ids of the satisfying condition
combine a and b into c

0 Karma

poete
Builder

Hello @shraddhamuduli,

In what kind of index/table are the information stored?

Are the 2 fields configured as inut in a dashboard or the result of a query?

It would be interesting to know in order to be more to the point where providing the answer to your question.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...