Hi, I wonder whether someone may be able to help me please.
Although I've been using Splunk for a few months now, I'm still coming against statements I've not see before.
One of which is this | eval verifiedButBounced=if('detail.verifiedButBounced'!="", 'detail.verifiedButBounced.count',0)
Could someone possibly explain to me what this statement is actually doing and is there a more efficient way of writing this.
Many thanks and kind regards
Chris
So the eval
command's if
works just like the IF
macro in Excel. The idea here the search is trying to "zero-fill" a field if the contents of the field is the empty string. This is a fairly common idiom, and can sometimes be replaced with the coalesce
function like so:
| eval verifiedButBounced = coalesce('detail.verifiedButBounced',0)
The trickery here is the use of both "
and '
. In eval
, a .
(dot) character can be used to mean string concatenation. It can also be used in a field name, like if a field comes from JSON data. So if you have the string detail.verifiedButBounced
do you mean a field named detail.verifiedButBounced
or do you mean detail
concatenated with verifiedButBounced
? It is ambiguous! The eval command uses a single-quote around a field name to "escape" otherwise special characters within that field name. Double quotes are used to represent static strings. So your original eval could be expressed as:
If the field named detail.verifiedButBounced
is not equal to the string ""
then set the new field verifiedButBounced
equal to the value of detail.verifiedButBounced
. Otherwise, set the value of the new field verifiedButBounced
equal to 0.
So the eval
command's if
works just like the IF
macro in Excel. The idea here the search is trying to "zero-fill" a field if the contents of the field is the empty string. This is a fairly common idiom, and can sometimes be replaced with the coalesce
function like so:
| eval verifiedButBounced = coalesce('detail.verifiedButBounced',0)
The trickery here is the use of both "
and '
. In eval
, a .
(dot) character can be used to mean string concatenation. It can also be used in a field name, like if a field comes from JSON data. So if you have the string detail.verifiedButBounced
do you mean a field named detail.verifiedButBounced
or do you mean detail
concatenated with verifiedButBounced
? It is ambiguous! The eval command uses a single-quote around a field name to "escape" otherwise special characters within that field name. Double quotes are used to represent static strings. So your original eval could be expressed as:
If the field named detail.verifiedButBounced
is not equal to the string ""
then set the new field verifiedButBounced
equal to the value of detail.verifiedButBounced
. Otherwise, set the value of the new field verifiedButBounced
equal to 0.
Hi @dwaddle, for confirmation the "detail.verifiedButBounced" is the name of the field.
Thank you very much for the confirmation on the steps the statement is taking, it's very useful and will certainly help in the future.
Kind Regards
Chris