Hello All

I'm trying to use eval if like command with json type data (kv_mode = json) but it seems as though it's not respecting the command when used on this type of data.

I'm searching Nessus data and we are using Splunk_TA_nessus

I'm trying to do something like:

index=nessusdata sourcetype="tenable:sc:vuln" scan_result_info.name="my scan*"
| eval newfield=if(like(scan_result_info.name, "my scan%"), "it's working", "it's not working")

All results return as not working meaning the if like eval isn't working.

I've tried it eval a=if(scan_result_info.name like "my scan%", "working", "not working")

Neither works with Nessus type data but everything works when I use the same commands on iis type data. I know that I'm typing the commands correctly.

Could someone explain to me how to get this to work with data where kv_mode = json

Is there another way to go about this or am I out of luck with eval if like against Json type data?