Splunk Search

Conditional searching using eval command

karthik40us
Explorer

All,

I have the search below which is using eval and IF statement. I only want one of the search conditions to execute every time this search is called using the $LOB$ variable. It appears the logic is correct and seems like other ppl have gotten this type of search to work, but the below does not work.

To simplify my question, here is the logic

| eval IF "(condition)",then, "Search1", else, "Search2" 

Any help on why this may not work??

| eval (newLOB1=if(($LOB$ != "*"), 

"([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId  | eval (newLOB=(replace("$LOB$","COF-","")) |where accountName=newLOB | stats count])"),

"([search index=aws-ec2inventory | fields - _raw | table accountName, instanceId,PrivateIPAddress | dedup instanceId | search accountName=* | stats count])"))
0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Hi, I'm afraid that's not the way conditionals work in Splunk.

This is what I would do instead:

index=aws-ec2inventory 
| fields accountName, instanceId, PrivateIPAddress, "$LOB$"
| dedup instanceId 
| eval newLOB = if("$LOB$" != "*", replace("$LOB$", "COF-", ""),"%")
| where accountName=newLOB 
| stats count

In principle that's the equivalent of your query but I'm still not sure about the following:

newLOB1=if(($LOB$ != "*")

What are you trying to achieve there? Is $LOB$ a token in your dashboard?

Hope that helps,
J

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, I'm afraid that's not the way conditionals work in Splunk.

This is what I would do instead:

index=aws-ec2inventory 
| fields accountName, instanceId, PrivateIPAddress, "$LOB$"
| dedup instanceId 
| eval newLOB = if("$LOB$" != "*", replace("$LOB$", "COF-", ""),"%")
| where accountName=newLOB 
| stats count

In principle that's the equivalent of your query but I'm still not sure about the following:

newLOB1=if(($LOB$ != "*")

What are you trying to achieve there? Is $LOB$ a token in your dashboard?

Hope that helps,
J

0 Karma

karthik40us
Explorer

Thanks for the response !!.. you query worked only in cases where LOB !=" **" . If the variable LOB had * the results are 0. Any thoughts?. The below came back with 0 results

index=aws-ec2inventory 
 | fields accountName, instanceId, PrivateIPAddress, "*"
 | dedup instanceId 
 | eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%")
 | where accountName=newLOB 
 | stats count
0 Karma

karthik40us
Explorer

it almost feels like IF statement does not like "star" **

0 Karma

karthik40us
Explorer

Also it worked for "**" if i removed the below line from the code

| where accountName=newLOB 
0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, I'm now even more confused about what you are trying to do with the LOB variable. * is a wildcard that matches any character but it won't work as that in a where, because it works like an SQL where and you have to use percentage (%) instead.

So, can you give me an example with two simple tables about what you are trying to achieve so that I can understand a bit better?

This line here is killing my eyes 😄

| eval newLOB = if("*" != "*", replace("*", "COF-", ""),"%")
0 Karma

javiergn
SplunkTrust
SplunkTrust

By the way, if you just want to check whether a field is null or not you can use the isnull or isnotnull functions as part of your eval.

0 Karma

karthik40us
Explorer

The goal is to do a count on $LOB$ (i.e account Name) within aws-ec2inventory index .

I am getting $LOB$(i.e account name) as dropdown box from a dashboard panel

If the $LOB$ is a ** (wildcard) then i need to provide a stats count on ALL

If the $LOB$ is not a ** then i am performing a replace function and providing a count for that particular account Name/$LOB$

table

LOB (dropdown input from dashboard)
All ----> (the value for this * )
COF-abcd-prod
COF-efgh-Dev
COF-njkd-Prod

0 Karma

karthik40us
Explorer

Figured it out ..it was the where clause that was the issue and used LIKE instead...thanks for your help

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, your query is a bit confusing.
Can you review and edit your question but using the Code Sample button (select your code then press the button with 1s and 0s) for your query in order to make sure no especial characters are omitted?

Thanks,
J

0 Karma

karthik40us
Explorer

thanks..just reposted

0 Karma
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...