EVALstatement not working

davidcraven02 · ‎01-17-2018

My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used case and if statement to determine this, however none of these have worked.

Location does not equal Varonis (i.e equals Not in Varonis)
MonitoringStatus does not equal Monitored (i.e equals Not Monitored)
Contains the word "Hosting" in the Path field

| eval VaronisStatus=if(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required", "No Action Required")

|| eval VaronisStatus=case(('(g)Location'!="Varonis" AND(MonitoringStatus!="Monitored") AND like(Path,"%Hosting%")),"Action Required" , 1=1,"No Action Required")

493669 · ‎01-17-2018

Hi @davidcraven02,
I have checked below and it works fine

 <base search>| eval VaronisStatus=if('(g)Location'!="Varonis" AND MonitoringStatus!="Monitored" AND like(Path,"%Hosting%"),"Action Required", "No Action Required")

Could you please tell me situation where its not working as expected..

EVALstatement not working

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

EVALstatement not working

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!