Splunk Search

EVALstatement not working

davidcraven02
Communicator

My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used case and if statement to determine this, however none of these have worked.

  • Location does not equal Varonis (i.e equals Not in Varonis)
  • MonitoringStatus does not equal Monitored (i.e equals Not Monitored)
  • Contains the word "Hosting" in the Path field

| eval VaronisStatus=if(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required", "No Action Required")

|| eval VaronisStatus=case(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required" , 1=1,"No Action Required")

Tags (2)
0 Karma

493669
Super Champion

Hi @davidcraven02,
I have checked below and it works fine

 <base search>| eval VaronisStatus=if('(g)Location'!="Varonis" AND MonitoringStatus!="Monitored" AND like(Path,"%Hosting%"),"Action Required", "No Action Required")

Could you please tell me situation where its not working as expected..

0 Karma