- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Eval If Statement
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
Although I've been using Splunk for a few months now, I'm still coming against statements I've not see before.
One of which is this | eval verifiedButBounced=if('detail.verifiedButBounced'!="", 'detail.verifiedButBounced.count',0)
Could someone possibly explain to me what this statement is actually doing and is there a more efficient way of writing this.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the eval command's if works just like the IF macro in Excel. The idea here the search is trying to "zero-fill" a field if the contents of the field is the empty string. This is a fairly common idiom, and can sometimes be replaced with the coalesce function like so:
| eval verifiedButBounced = coalesce('detail.verifiedButBounced',0)
The trickery here is the use of both " and '. In eval, a . (dot) character can be used to mean string concatenation. It can also be used in a field name, like if a field comes from JSON data. So if you have the string detail.verifiedButBounced do you mean a field named detail.verifiedButBounced or do you mean detail concatenated with verifiedButBounced? It is ambiguous! The eval command uses a single-quote around a field name to "escape" otherwise special characters within that field name. Double quotes are used to represent static strings. So your original eval could be expressed as:
If the field named detail.verifiedButBounced is not equal to the string "" then set the new field verifiedButBounced equal to the value of detail.verifiedButBounced. Otherwise, set the value of the new field verifiedButBounced equal to 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the eval command's if works just like the IF macro in Excel. The idea here the search is trying to "zero-fill" a field if the contents of the field is the empty string. This is a fairly common idiom, and can sometimes be replaced with the coalesce function like so:
| eval verifiedButBounced = coalesce('detail.verifiedButBounced',0)
The trickery here is the use of both " and '. In eval, a . (dot) character can be used to mean string concatenation. It can also be used in a field name, like if a field comes from JSON data. So if you have the string detail.verifiedButBounced do you mean a field named detail.verifiedButBounced or do you mean detail concatenated with verifiedButBounced? It is ambiguous! The eval command uses a single-quote around a field name to "escape" otherwise special characters within that field name. Double quotes are used to represent static strings. So your original eval could be expressed as:
If the field named detail.verifiedButBounced is not equal to the string "" then set the new field verifiedButBounced equal to the value of detail.verifiedButBounced. Otherwise, set the value of the new field verifiedButBounced equal to 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dwaddle, for confirmation the "detail.verifiedButBounced" is the name of the field.
Thank you very much for the confirmation on the steps the statement is taking, it's very useful and will certainly help in the future.
Kind Regards
Chris
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
