EVALstatement not working

davidcraven02 · ‎01-17-2018

My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used case and if statement to determine this, however none of these have worked.

Location does not equal Varonis (i.e equals Not in Varonis)
MonitoringStatus does not equal Monitored (i.e equals Not Monitored)
Contains the word "Hosting" in the Path field

| eval VaronisStatus=if(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required", "No Action Required")

|| eval VaronisStatus=case(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required" , 1=1,"No Action Required")

493669 · ‎01-17-2018

Hi @davidcraven02,
I have checked below and it works fine

 <base search>| eval VaronisStatus=if('(g)Location'!="Varonis" AND MonitoringStatus!="Monitored" AND like(Path,"%Hosting%"),"Action Required", "No Action Required")

Could you please tell me situation where its not working as expected..

EVALstatement not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

EVALstatement not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026