Splunk Search

Conditional searching using eval command

karthik40us
Explorer

All,

I have the search below which is using eval and IF statement. I only want one of the search conditions to execute every time this search is called using the $LOB$ variable. It appears the logic is correct and seems like other ppl have gotten this type of search to work, but the below does not work.

To simplify my question, here is the logic

| eval IF "(condition)",then, "Search1", else, "Search2" 

Any help on why this may not work??

| eval (newLOB1=if(($LOB$ != "*"), 

"([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId  | eval (newLOB=(replace("$LOB$","COF-","")) |where accountName=newLOB | stats count])"),

"([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId | search accountName=* | stats count])"))
0 Karma
1 Solution

javiergn
Super Champion

Hi, I'm afraid that's not the way conditionals work in Splunk.

This is what I would do instead:

index=aws-ec2inventory 
| fields accountName, instanceId, PrivateIPAddress, "$LOB$"
| dedup instanceId 
| eval newLOB = if("$LOB$" != "*", replace("$LOB$", "COF-", ""),"%")
| where accountName=newLOB 
| stats count

In principle that's the equivalent of your query but I'm still not sure about the following:

newLOB1=if(($LOB$ != "*")

What are you trying to achieve there? Is $LOB$ a token in your dashboard?

Hope that helps,
J

View solution in original post

0 Karma

javiergn
Super Champion

Hi, I'm afraid that's not the way conditionals work in Splunk.

This is what I would do instead:

index=aws-ec2inventory 
| fields accountName, instanceId, PrivateIPAddress, "$LOB$"
| dedup instanceId 
| eval newLOB = if("$LOB$" != "*", replace("$LOB$", "COF-", ""),"%")
| where accountName=newLOB 
| stats count

In principle that's the equivalent of your query but I'm still not sure about the following:

newLOB1=if(($LOB$ != "*")

What are you trying to achieve there? Is $LOB$ a token in your dashboard?

Hope that helps,
J

0 Karma

karthik40us
Explorer

Thanks for the response !!.. you query worked only in cases where LOB !=" **" . If the variable LOB had * the results are 0. Any thoughts?. The below came back with 0 results

index=aws-ec2inventory 
 | fields accountName, instanceId, PrivateIPAddress, "*"
 | dedup instanceId 
 | eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%")
 | where accountName=newLOB 
 | stats count
0 Karma

karthik40us
Explorer

it almost feels like IF statement does not like "star" **

0 Karma

karthik40us
Explorer

Also it worked for "**" if i removed the below line from the code

| where accountName=newLOB 
0 Karma

javiergn
Super Champion

Hi, I'm now even more confused about what you are trying to do with the LOB variable. * is a wildcard that matches any character but it won't work as that in a where, because it works like an SQL where and you have to use percentage (%) instead.

So, can you give me an example with two simple tables about what you are trying to achieve so that I can understand a bit better?

This line here is killing my eyes 😄

| eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%")
0 Karma

javiergn
Super Champion

By the way, if you just want to check whether a field is null or not you can use the isnull or isnotnull functions as part of your eval.

0 Karma

karthik40us
Explorer

The goal is to do a count on $LOB$ (i.e account Name) within aws-ec2inventory index .

I am getting $LOB$(i.e account name) as dropdown box from a dashboard panel

If the $LOB$ is a ** (wildcard) then i need to provide a stats count on ALL

If the $LOB$ is not a ** then i am performing a replace function and providing a count for that particular account Name/$LOB$

table

LOB (dropdown input from dashboard)
All ----> (the value for this * )
COF-abcd-prod
COF-efgh-Dev
COF-njkd-Prod

0 Karma

karthik40us
Explorer

Figured it out ..it was the where clause that was the issue and used LIKE instead...thanks for your help

0 Karma

javiergn
Super Champion

Hi, your query is a bit confusing.
Can you review and edit your question but using the Code Sample button (select your code then press the button with 1s and 0s) for your query in order to make sure no especial characters are omitted?

Thanks,
J

0 Karma

karthik40us
Explorer

thanks..just reposted

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...