- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Conditional searching using eval command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
I have the search below which is using eval and IF statement. I only want one of the search conditions to execute every time this search is called using the $LOB$ variable. It appears the logic is correct and seems like other ppl have gotten this type of search to work, but the below does not work.
To simplify my question, here is the logic
| eval IF "(condition)",then, "Search1", else, "Search2"
Any help on why this may not work??
| eval (newLOB1=if(($LOB$ != "*"),
"([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId | eval (newLOB=(replace("$LOB$","COF-","")) |where accountName=newLOB | stats count])"),
"([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId | search accountName=* | stats count])"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I'm afraid that's not the way conditionals work in Splunk.
This is what I would do instead:
index=aws-ec2inventory
| fields accountName, instanceId, PrivateIPAddress, "$LOB$"
| dedup instanceId
| eval newLOB = if("$LOB$" != "*", replace("$LOB$", "COF-", ""),"%")
| where accountName=newLOB
| stats count
In principle that's the equivalent of your query but I'm still not sure about the following:
newLOB1=if(($LOB$ != "*")
What are you trying to achieve there? Is $LOB$ a token in your dashboard?
Hope that helps,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I'm afraid that's not the way conditionals work in Splunk.
This is what I would do instead:
index=aws-ec2inventory
| fields accountName, instanceId, PrivateIPAddress, "$LOB$"
| dedup instanceId
| eval newLOB = if("$LOB$" != "*", replace("$LOB$", "COF-", ""),"%")
| where accountName=newLOB
| stats count
In principle that's the equivalent of your query but I'm still not sure about the following:
newLOB1=if(($LOB$ != "*")
What are you trying to achieve there? Is $LOB$ a token in your dashboard?
Hope that helps,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response !!.. you query worked only in cases where LOB !=" **" . If the variable LOB had * the results are 0. Any thoughts?. The below came back with 0 results
index=aws-ec2inventory
| fields accountName, instanceId, PrivateIPAddress, "*"
| dedup instanceId
| eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%")
| where accountName=newLOB
| stats count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it almost feels like IF statement does not like "star" **
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also it worked for "**" if i removed the below line from the code
| where accountName=newLOB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I'm now even more confused about what you are trying to do with the LOB variable. * is a wildcard that matches any character but it won't work as that in a where, because it works like an SQL where and you have to use percentage (%) instead.
So, can you give me an example with two simple tables about what you are trying to achieve so that I can understand a bit better?
This line here is killing my eyes 😄
| eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, if you just want to check whether a field is null or not you can use the isnull or isnotnull functions as part of your eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The goal is to do a count on $LOB$ (i.e account Name) within aws-ec2inventory index .
I am getting $LOB$(i.e account name) as dropdown box from a dashboard panel
If the $LOB$ is a ** (wildcard) then i need to provide a stats count on ALL
If the $LOB$ is not a ** then i am performing a replace function and providing a count for that particular account Name/$LOB$
table
LOB (dropdown input from dashboard)
All ----> (the value for this * )
COF-abcd-prod
COF-efgh-Dev
COF-njkd-Prod
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out ..it was the where clause that was the issue and used LIKE instead...thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, your query is a bit confusing.
Can you review and edit your question but using the Code Sample button (select your code then press the button with 1s and 0s) for your query in order to make sure no especial characters are omitted?
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks..just reposted
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
