Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EVAL for ELSE IF condition

davidcraven02
Communicator
‎01-09-2018 07:31 AM

My logic for my field "Action" is below, but because there is different else conditions I cannot write an eval do achieve the below.

if (Location="Varonis" AND (like(Path,"%Hosting%")
then Status=Action Required

else if(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus=null )
then Status=Action Required

else if(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus=null )
then Status=Action Required

else if(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus=null )
then Status=Action Required

0 Karma
Reply

aniketsamudra
Engager
‎02-15-2024 02:41 AM

Having a similar issue,

| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403"),(like('thrown.extendedStackTrace',"%404%"),"404"),"###ERROR####")


But getting error as -->

Error in 'EvalCommand': The expression is malformed. Expected ).
 




0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2024 04:08 AM

Brackets in the wrong place and it looks like the else part of the first if should start with another if

| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403", if(like('thrown.extendedStackTrace',"%404%"),"404","###ERROR####"))
0 Karma
Reply

aniketsamudra
Engager
‎02-15-2024 07:31 PM

Got it resolved.. corrected one bracket

Thank You so much for the pointer on 'if' required everytime

0 Karma
Reply

aniketsamudra
Engager
‎02-15-2024 07:17 PM

Nope!

Getting error as 

Error in 'EvalCommand': The expression is malformed. Expected ).
 
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-15-2024 07:27 PM

Hi @aniketsamudra 

You should use case statement like below;

| eval Test=case(like('thrown.extendedStackTrace',"%403%"),"403", like('thrown.extendedStackTrace',"%404%"),"404",1=1,"###ERROR####")

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

493669
Super Champion
‎01-09-2018 08:27 AM

can you try below:

...| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null" OR DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required",1=1,"Action NOT Required")

I have combined two conditions

0 Karma
Reply

mayurr98
Super Champion
‎01-09-2018 07:58 AM

hey try this

 <your_base_query> 
| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null")),"Action Required",(Location="Varonis" AND (DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required","Action NOT Required")

I hope this helps you!

0 Karma
Reply

mayurr98
Super Champion
‎01-09-2018 08:45 AM

hey @davidcraven02
you need to put null in "null" in order to make it work.
try my search!

0 Karma
Reply

nickhills
Ultra Champion
‎01-09-2018 07:46 AM

The last two statements look identical, so assuming there are 3 statements:

Maybe case would be more useful:

...|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required",(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")
If my comment helps, please give it a thumbs up!
Reply

davidcraven02
Communicator
‎01-09-2018 08:37 AM

Thank you , this mostly works, the only issue is that for NULL values in DayBackUpStatus that exist within Varonis are not getting picked up as action required.

0 Karma
Reply

nickhills
Ultra Champion
‎01-09-2018 09:02 AM

sorry sloppy copy and paste on my part.
null should be double quoted - or you could use isnull()

If my comment helps, please give it a thumbs up!
0 Karma
Reply

davidcraven02
Communicator
‎01-09-2018 11:22 AM

This didnt work, the query below his doesnt pick up null values and when I use isnull() it makes all the status column equal 'Action Required' for all

|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",
(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required", (Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")
0 Karma
Reply

nickhills
Ultra Champion
‎01-09-2018 11:36 AM

do the fields contain the word null, or are they empty?

if empty, could you try MonitoringStatus!=*

If my comment helps, please give it a thumbs up!
0 Karma
Reply

micahkemp
Champion
‎01-09-2018 07:44 AM

Consider the case function.

Example from the doc:

eval description=case(error ==404, "Not found", error == 500,
"Internal Server Error", error == 200, "OK")

Though your example looks like it could be done in a single if, using OR to join the clauses since they all have the same return value of Action Required.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...